CVE-2024-3653
📋 TL;DR
This CVE describes a vulnerability in Undertow's learning-push handler when enabled with default configuration. Attackers can exploit this via HTTP requests to cause resource exhaustion or denial of service. Only systems with the learning-push handler explicitly enabled are affected.
💻 Affected Systems
- Undertow
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Resource exhaustion leading to denial of service, potentially disrupting web server availability
Likely Case
Degraded server performance or temporary unavailability under targeted attack
If Mitigated
No impact if learning-push handler is disabled or properly configured
🎯 Exploit Status
Exploitation requires HTTP access to server and learning-push handler enabled
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisories for specific patched versions
Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:4392
Restart Required: Yes
Instructions:
1. Update Undertow to patched version from Red Hat repositories. 2. Restart affected services. 3. Verify configuration changes if needed.
🔧 Temporary Workarounds
Disable learning-push handler
allEnsure learning-push handler is disabled in server configuration
Check undertow configuration files for 'learning-push' handler settings
Configure maxAge parameter
allSet maxAge to a positive value in learning-push handler configuration
Configure maxAge > 0 in undertow server configuration
🧯 If You Can't Patch
- Disable learning-push handler in server configuration
- Implement network controls to restrict HTTP access to vulnerable servers
🔍 How to Verify
Check if Vulnerable:
Check if learning-push handler is enabled in undertow configuration with maxAge = -1 or unsetCheck Version:
Check application server documentation for version commandVerify Fix Applied:
Verify undertow version is patched and learning-push handler is disabled or maxAge is configured > 0📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP request patterns to learning-push endpoints
- Resource exhaustion warnings in server logs
Network Indicators:
- Multiple HTTP requests to learning-push handler endpoints
- Unusual traffic patterns to vulnerable server
SIEM Query:
Search for HTTP requests containing 'learning-push' in URI path or unusual resource consumption patterns🔗 References
- https://access.redhat.com/errata/RHSA-2024:4392
- https://access.redhat.com/errata/RHSA-2024:5143
- https://access.redhat.com/errata/RHSA-2024:5144
- https://access.redhat.com/errata/RHSA-2024:5145
- https://access.redhat.com/errata/RHSA-2024:5147
- https://access.redhat.com/errata/RHSA-2024:6437
- https://access.redhat.com/security/cve/CVE-2024-3653
- https://bugzilla.redhat.com/show_bug.cgi?id=2274437
- https://access.redhat.com/errata/RHSA-2024:4392
- https://access.redhat.com/security/cve/CVE-2024-3653
- https://bugzilla.redhat.com/show_bug.cgi?id=2274437
- https://security.netapp.com/advisory/ntap-20240828-0002/
