CVE-2020-25644
HIGHWildFly OpenSSL < 1.1.3 - Memory Leak Denial of Service via HTTP Session Removal
Title source: llmDescription
A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability.
References (4)
Core 4
Core References
Issue Tracking, Patch, Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1885485
Patch, Third Party Advisory
https://github.com/wildfly-security/wildfly-openssl-natives/pull/4/files
Permissions Required, Vendor Advisory
https://issues.redhat.com/browse/WFSSL-51
Third Party Advisory
https://security.netapp.com/advisory/ntap-20201016-0004/
Scores
CVSS v3
7.5
EPSS
0.0046
EPSS Percentile
64.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-401
Status
published
Products (11)
netapp/oncommand_insight
netapp/oncommand_workflow_automation
netapp/service_level_manager
org.wildfly.openssl/wildfly-openssl-natives-parent
0 - 1.1.3.FinalMaven
redhat/data_grid
8.0
redhat/jboss_data_grid
7.0.0
redhat/jboss_enterprise_application_platform
7.0.0
redhat/jboss_fuse
7.0.0
redhat/openshift_application_runtimes
redhat/single_sign-on
7.0
... and 1 more
Published
Oct 06, 2020
Tracked Since
Feb 18, 2026