CVE-2024-5971
📋 TL;DR
A vulnerability in Undertow's chunked response handling causes incomplete termination of TLSv1.3 responses, leading clients to wait indefinitely. This allows attackers to cause denial of service through resource exhaustion. Only affects systems using Java 17 with TLSv1.3 enabled.
💻 Affected Systems
- Undertow
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for affected endpoints, exhausting server resources and making services unavailable.
Likely Case
Partial service degradation as connections hang, impacting application availability and performance.
If Mitigated
Minimal impact if TLSv1.3 is disabled or Java version is changed.
🎯 Exploit Status
Exploitation requires TLSv1.3 connections to vulnerable endpoints; no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisories (RHSA-2024:4392, 4884, 5143-5145) for specific patched versions.
Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:4392
Restart Required: Yes
Instructions:
1. Identify affected Undertow version. 2. Apply relevant Red Hat patch from advisories. 3. Restart application server. 4. Verify fix with testing.
🔧 Temporary Workarounds
Disable TLSv1.3
allConfigure server to use TLSv1.2 or earlier protocols instead of TLSv1.3.
Configure SSL/TLS settings in application server to exclude TLSv1.3
Use Java 11 or earlier
allSwitch to Java 11 or earlier versions that don't exhibit this specific TLSv1.3 behavior.
Update JAVA_HOME and PATH to point to Java 11 installation
🧯 If You Can't Patch
- Implement network controls to limit TLSv1.3 connections to trusted sources only.
- Monitor connection pools and implement automatic termination of hanging connections.
🔍 How to Verify
Check if Vulnerable:
Check if using Java 17 with TLSv1.3 enabled on Undertow server; test with TLSv1.3 client connections for hanging responses.Check Version:
java -version (check for Java 17) and check Undertow version via application server logs/configuration.Verify Fix Applied:
After patching, test TLSv1.3 connections to verify responses complete properly without hanging.📡 Detection & Monitoring
Log Indicators:
- Unusually long connection durations
- Connection timeouts for TLSv1.3 requests
- Resource exhaustion warnings
Network Indicators:
- Multiple incomplete TLSv1.3 sessions
- Abnormal connection termination patterns
SIEM Query:
source="application.logs" AND ("connection timeout" OR "hanging" OR "TLSv1.3") AND duration>30s🔗 References
- https://access.redhat.com/errata/RHSA-2024:4392
- https://access.redhat.com/errata/RHSA-2024:4884
- https://access.redhat.com/errata/RHSA-2024:5143
- https://access.redhat.com/errata/RHSA-2024:5144
- https://access.redhat.com/errata/RHSA-2024:5145
- https://access.redhat.com/errata/RHSA-2024:5147
- https://access.redhat.com/errata/RHSA-2024:6508
- https://access.redhat.com/errata/RHSA-2024:6883
- https://access.redhat.com/security/cve/CVE-2024-5971
- https://bugzilla.redhat.com/show_bug.cgi?id=2292211
- https://access.redhat.com/errata/RHSA-2024:4392
- https://access.redhat.com/errata/RHSA-2024:4884
- https://access.redhat.com/security/cve/CVE-2024-5971
- https://bugzilla.redhat.com/show_bug.cgi?id=2292211
- https://security.netapp.com/advisory/ntap-20240828-0001/
