SCA: security update for io.undertow:undertow-core (GHSA-w6qf-42m7-vh68)

high Tenable Self-Hosted Container Security Plugin ID 421465

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-
client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server
and then closes the connection immediately, the server will end with both memory and open file limits
exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the
WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting
ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP
upgrade, there is an external layer to the remoting connection. This connection is unaware of the
outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow
WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because
WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which
is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the
connections and causes the leak. (CVE-2024-1635)

Solution

Update the io.undertow:undertow-core library and its related packages to version 2.2.31.Final or later.

See Also

https://github.com/advisories/GHSA-w6qf-42m7-vh68

Plugin Details

Severity: High

ID: 421465

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 3/28/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2024-1635

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 6.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/20/2024

Vulnerability Publication Date: 2/19/2024

Reference Information

CVE: CVE-2024-1635

cwe: CWE-400