CVE-2024-6162
📋 TL;DR
CVE-2024-6162 is a race condition vulnerability in Undertow's AJP listener where URL-encoded request paths can be mishandled during concurrent requests, causing the server to access incorrect paths. This leads to denial of service as legitimate resources become inaccessible. Organizations using Undertow with AJP listener enabled are affected.
💻 Affected Systems
- Undertow
- Red Hat JBoss Web Server
- Red Hat JBoss EAP
- WildFly
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service where all AJP requests fail with 404 errors, making web applications completely unavailable to users.
Likely Case
Intermittent 404 errors and application failures for users accessing resources via AJP, causing degraded service availability.
If Mitigated
Minimal impact if AJP listener is disabled or if request concurrency is limited through rate limiting.
🎯 Exploit Status
Exploitation requires sending concurrent URL-encoded requests to the AJP listener, which is straightforward for attackers. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Undertow 2.3.12.Final, 2.2.30.Final, or later
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-6162
Restart Required: Yes
Instructions:
1. Identify Undertow version. 2. Update to patched version via package manager or manual download. 3. Restart application server. 4. Verify fix by checking version and testing AJP requests.
🔧 Temporary Workarounds
Disable AJP Listener
allDisable the AJP connector in Undertow configuration if not required for your deployment.
Edit standalone.xml or equivalent config file and remove or comment out AJP listener configuration
Rate Limit AJP Requests
allImplement rate limiting or connection throttling for AJP requests to reduce concurrency.
Configure connection limits in web server or load balancer settings
🧯 If You Can't Patch
- Disable AJP listener entirely if not required for application functionality
- Implement network segmentation to restrict AJP access to trusted sources only
🔍 How to Verify
Check if Vulnerable:
Check Undertow version: java -jar undertow-core.jar --version or examine META-INF/MANIFEST.MF. If version is below 2.3.12.Final or 2.2.30.Final and AJP is enabled, system is vulnerable.Check Version:
grep 'Implementation-Version' META-INF/MANIFEST.MF or check application server version infoVerify Fix Applied:
Verify Undertow version is 2.3.12.Final, 2.2.30.Final or later. Test with concurrent URL-encoded AJP requests to ensure no path mix-ups occur.📡 Detection & Monitoring
Log Indicators:
- Increased 404 errors for valid resources
- AJP request failures
- Concurrent request errors in Undertow logs
Network Indicators:
- Unusual volume of AJP requests with URL-encoded paths
- Spike in 404 responses from AJP endpoints
SIEM Query:
source="undertow.log" AND ("404" OR "AJP error") AND "concurrent"🔗 References
- https://access.redhat.com/errata/RHSA-2024:1194
- https://access.redhat.com/errata/RHSA-2024:4386
- https://access.redhat.com/errata/RHSA-2024:4884
- https://access.redhat.com/security/cve/CVE-2024-6162
- https://bugzilla.redhat.com/show_bug.cgi?id=2293069
- https://issues.redhat.com/browse/JBEAP-26268
- https://access.redhat.com/errata/RHSA-2024:4884
- https://access.redhat.com/security/cve/CVE-2024-6162
- https://bugzilla.redhat.com/show_bug.cgi?id=2293069
- https://security.netapp.com/advisory/ntap-20241129-0009/
