操作系统--麒麟信安操作系统,国产操作系统,麒麟信安云桌面—

公告ID (KylinSec-SA-2024-4942)

摘要:

undertow security update

安全等级: High

公告ID: KylinSec-SA-2024-4942

发布日期: 2025年2月25日

关联CVE: CVE-2024-4109

详细介绍

1. 漏洞描述

Java web server using non-blocking IO

Security Fix(es):

Description: Product Security received a report that Undertow might incorrectly re-use an HTTP request header value from a previous stream for a request associated with a subsequent stream on the same HTTP/2 connection. The issue is linked to the readHpackString method and its interaction with the stringBuilder field. While such behavior typically results in an error followed by the termination of the HTTP/2 connection, it presents a potential vector for information leakage between requests. The original reporter referenced a similar issue in Apache Tomcat (CVE-2020-17527). In the patch for that vulnerability (https://github.com/apache/tomcat/commit/8d2fe6894d6e258a6d615d7f786acca80e6020cb) a StringBuilder field was improperly reused across multiple requests, leading to this issue. In the io.undertow.protocols.http2.HpackDecoder class of Undertow, within the readHpackString method, there is a code pattern identical to the one mentioned: ``` for (int i = 0; i < length; ++i) { stringBuilder.append((char) buffer.get()); } String ret = stringBuilder.toString(); stringBuilder.setLength(0); if (ret.isEmpty()) { //return the interned empty string, rather than allocating a new one each time return ""; } ``` Steps to reproduce: No reproducers or PoC were provided, this issue was identified through static testing. Affected versions: 2.2.x, 2.3.x, and 3.x(CVE-2024-4109)