CVE-2024-6162: Undertow AJP Listener Concurrent Requests Vulnerability in URL-Encoded Request Paths

A newly discovered vulnerability (CVE-2024-6162) found in the Undertow web server can potentially cause denial of service attacks due to improper handling of URL-encoded request paths during concurrent requests on the AJP (Apache JServ Protocol) listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.

Code Snippet

Consider a scenario where two requests are being served concurrently, where request A has "/foo%20bar" and request B has "/foo%2Fbar":

public class UndertowAJPTestCase {

   public static void main(String[] args) {
       Undertow server = Undertow.builder()
               .addAjpListener(8009, "localhost")
               .setHandler(new HttpHandler() {
                   @Override
                   public void handleRequest(HttpServerExchange exchange) throws Exception {
                       String path = exchange.getRequestPath();
                       exchange.getResponseHeaders().put(Headers.CONTENT_TYPE, "text/plain");
                       exchange.getResponseSender().send("Requested Path: " + path);
                   }
               }).build();
       server.start();
   }
}

During the decoding process, both requests might attempt to modify the shared buffer, causing A to be served with B's path and vice versa, leading to incorrect path information being processed.

Original References

- Red Hat Security Advisory
- Undertow AJP Listener Concurrent Requests Vulnerability
- AJP Protocol Specification

Exploit Details

A potential attacker can exploit this vulnerability by sending numerous concurrent requests with URL-encoded paths to the Undertow server running on the AJP listener. Since the server uses the same buffer to decode the paths for multiple requests simultaneously, the paths may get mixed up between the requests. Consequently, the server may attempt to access the wrong path, leading to errors such as "404 Not Found" or other application failures. In a denial of service attack scenario, an attacker floods the server with such requests, rendering the target application unresponsive and inaccessible to legitimate users.

Limit the number of concurrent connections allowed on the AJP listener

- Utilize a reverse proxy, such as Nginx or Apache HTTP Server, in front of your Undertow server to filter requests based on IP addresses or rate-limiting rules
- Turn off the AJP listener if it is not required by your application, and instead, serve traffic over HTTP or HTTPS

Conclusion

CVE-2024-6162 is a critical vulnerability in Undertow's handling of URL-encoded request paths on the AJP listener during concurrent requests. This flaw can lead to denial of service attacks, rendering the application unresponsive and inaccessible. It is crucial for administrators and application developers to be aware of this vulnerability and take appropriate mitigation strategies to secure their Undertow web servers.

Timeline

Published on: 06/20/2024 15:15:50 UTC
Last modified on: 08/05/2024 15:51:35 UTC