Wildfly HTTP Client Vulnerability Leaves Servers Open to Resource Exhaustion Attacks

CVECVE-2024-1635
CVSScvssV3_1: 7.5
SourceCVE-2024-1635

A critical vulnerability was discovered in Undertow, an open source web server that is commonly used as part of the WildFly application server. This vulnerability could allow a remote attacker to exhaust all available memory and file handles on servers using Undertow’s wildfly-http-client protocol.

The issue stems from how Undertow handles HTTP connections that are upgraded to its remoting protocol. When a connection is closed prematurely during the upgrade process, Undertow fails to properly clean up resources. By opening many connections and closing them immediately, an attacker could cause Undertow’s memory and file handle usage to grow over time until the server crashes or becomes unavailable.

This so-called resource exhaustion attack does not require any authentication. An attacker could simply send automated requests from any internet-connected device to trigger the vulnerability. Servers with low memory limits or heavy usage would be most at risk.

The best way to protect yourself is to update to the latest version of Undertow or WildFly, which contain patches for this vulnerability. You should also consider limiting the number of concurrent connections allowed from single IP addresses to reduce the effectiveness of any attacks. Monitoring server resources can also help detect unusual growth that may indicate an attack is underway.

References