CVE-2016-9589

HIGH

Redhat Jboss Wildfly Application Server < 10.1.0 - Denial of Service

Title source: rule

Description

Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to "max-headers" (default 200) * "max-header-size" (default 1MB) per active TCP connection.

Exploits (2)

nomisec STUB

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2016-9589-undertow-vulnerable

View Code ZIP pw:eip

nomisec STUB

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2016-9589-undertow-vulnerable

View Code ZIP pw:eip

References (13)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2017-0830.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2017-0831.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2017-0832.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2017-0834.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2017-0876.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/97060

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:0872

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:0873

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:3454

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:3455

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:3456

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:3458

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=1404782

Scores

CVSS v3 7.5

EPSS 0.0219

EPSS Percentile 84.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-400

Status published

Products (3)

org.wildfly/wildfly-undertow 0 - 11.0.0.Beta1Maven

redhat/jboss_wildfly_application_server 11.0.0 alpha1

redhat/jboss_wildfly_application_server < 10.1.0

Published Mar 12, 2018

Tracked Since Feb 18, 2026