diff --git a/CVE-2021-3690.patch b/CVE-2021-3690.patch new file mode 100644 index 0000000000000000000000000000000000000000..f559345aa874117d47af4e29543a70980a540742 --- /dev/null +++ b/CVE-2021-3690.patch @@ -0,0 +1,25 @@ +From abbaa6e883e6b4d082f13347e0f8e332097f9554 Mon Sep 17 00:00:00 2001 +From: Andrey Marinchuk +Date: Sat, 31 Jul 2021 00:26:57 +0300 +Subject: [PATCH] [UNDERTOW-1935] - buffer leak on incoming websocket PONG + message + +Origin: +https://github.com/undertow-io/undertow/commit/97482a5d4114001d45f9b07f1d2893749cdcba8b +--- + .../src/main/java/io/undertow/websockets/jsr/FrameHandler.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/websockets-jsr/src/main/java/io/undertow/websockets/jsr/FrameHandler.java b/websockets-jsr/src/main/java/io/undertow/websockets/jsr/FrameHandler.java +index 12ae5bb38c..a93822587d 100644 +--- a/websockets-jsr/src/main/java/io/undertow/websockets/jsr/FrameHandler.java ++++ b/websockets-jsr/src/main/java/io/undertow/websockets/jsr/FrameHandler.java +@@ -152,6 +152,8 @@ public void run() { + } + } + }); ++ } else { ++ bufferedBinaryMessage.getData().free(); + } + } + diff --git a/CVE-2023-1973.patch b/CVE-2023-1973.patch new file mode 100644 index 0000000000000000000000000000000000000000..075637f5996ee2db5115ee55b7632ac9895b458d --- /dev/null +++ b/CVE-2023-1973.patch @@ -0,0 +1,131 @@ +From 0410f3c4d9b39b754a2203a29834cac51da11258 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Richard=20Op=C3=A1lka?= +Date: Fri, 19 Jan 2024 19:52:31 +0100 +Subject: [PATCH] [UNDERTOW-2264] CVE-2023-1973 Force session timeout to 2 + minutes when session was created during the authentication phase. Once + authentication is complete restore original (configured) session timeout. + +Signed-off-by: Flavia Rainone + +Origin: +https://github.com/undertow-io/undertow/commit/0410f3c4d9b39b754a2203a29834cac51da11258 +--- + .../impl/FormAuthenticationMechanism.java | 28 +++++++++++++++++-- + .../ServletFormAuthenticationMechanism.java | 20 ++++++++++++- + 2 files changed, 44 insertions(+), 4 deletions(-) + +diff --git a/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java b/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java +index 22f95a6..5e6981e 100644 +--- a/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java ++++ b/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java +@@ -45,9 +45,8 @@ import static io.undertow.UndertowMessages.MESSAGES; + public class FormAuthenticationMechanism implements AuthenticationMechanism { + + public static final String LOCATION_ATTRIBUTE = FormAuthenticationMechanism.class.getName() + ".LOCATION"; +- + public static final String DEFAULT_POST_LOCATION = "/j_security_check"; +- ++ protected static final String ORIGINAL_SESSION_TIMEOUT = "io.undertow.servlet.form.auth.orig.session.timeout";; + private final String name; + private final String loginPage; + private final String errorPage; +@@ -55,6 +54,13 @@ public class FormAuthenticationMechanism implements AuthenticationMechanism { + private final FormParserFactory formParserFactory; + private final IdentityManager identityManager; + ++ /** ++ * If the authentication process creates a session, this is the maximum session timeout (in seconds) during the ++ * authentication process. Once authentication is complete, the default session timeout will apply. Sessions that ++ * exist before the authentication process starts will retain their original session timeout throughout. ++ */ ++ protected final int authenticationSessionTimeout = 120; ++ + public FormAuthenticationMechanism(final String name, final String loginPage, final String errorPage) { + this(FormParserFactory.builder().build(), name, loginPage, errorPage); + } +@@ -144,6 +150,10 @@ public class FormAuthenticationMechanism implements AuthenticationMechanism { + protected void handleRedirectBack(final HttpServerExchange exchange) { + final Session session = Sessions.getSession(exchange); + if (session != null) { ++ final Integer originalSessionTimeout = (Integer) session.removeAttribute(ORIGINAL_SESSION_TIMEOUT); ++ if (originalSessionTimeout != null) { ++ session.setMaxInactiveInterval(originalSessionTimeout); ++ } + final String location = (String) session.removeAttribute(LOCATION_ATTRIBUTE); + if(location != null) { + exchange.addDefaultResponseListener(new DefaultResponseListener() { +@@ -179,7 +189,19 @@ public class FormAuthenticationMechanism implements AuthenticationMechanism { + } + + protected void storeInitialLocation(final HttpServerExchange exchange) { +- Session session = Sessions.getOrCreateSession(exchange); ++ Session session = Sessions.getSession(exchange); ++ boolean newSession = false; ++ if (session == null) { ++ session = Sessions.getOrCreateSession(exchange); ++ newSession = true; ++ } ++ if (newSession) { ++ int originalMaxInactiveInterval = session.getMaxInactiveInterval(); ++ if (originalMaxInactiveInterval > authenticationSessionTimeout) { ++ session.setAttribute(ORIGINAL_SESSION_TIMEOUT, session.getMaxInactiveInterval()); ++ session.setMaxInactiveInterval(authenticationSessionTimeout); ++ } ++ } + session.setAttribute(LOCATION_ATTRIBUTE, RedirectBuilder.redirect(exchange, exchange.getRelativePath())); + } + +diff --git a/servlet/src/main/java/io/undertow/servlet/handlers/security/ServletFormAuthenticationMechanism.java b/servlet/src/main/java/io/undertow/servlet/handlers/security/ServletFormAuthenticationMechanism.java +index 9c5c704..51a0b68 100644 +--- a/servlet/src/main/java/io/undertow/servlet/handlers/security/ServletFormAuthenticationMechanism.java ++++ b/servlet/src/main/java/io/undertow/servlet/handlers/security/ServletFormAuthenticationMechanism.java +@@ -30,6 +30,7 @@ import io.undertow.server.session.Session; + import io.undertow.servlet.handlers.ServletRequestContext; + import io.undertow.servlet.spec.HttpSessionImpl; + import io.undertow.servlet.util.SavedRequest; ++import io.undertow.servlet.spec.ServletContextImpl; + import io.undertow.util.Headers; + import io.undertow.util.RedirectBuilder; + +@@ -120,13 +121,26 @@ public class ServletFormAuthenticationMechanism extends FormAuthenticationMechan + return; + } + final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY); +- HttpSessionImpl httpSession = servletRequestContext.getCurrentServletContext().getSession(exchange, true); ++ final ServletContextImpl servletContextImpl = servletRequestContext.getCurrentServletContext(); ++ HttpSessionImpl httpSession = servletContextImpl.getSession(exchange, false); ++ boolean newSession = false; ++ if (httpSession == null) { ++ httpSession = servletContextImpl.getSession(exchange, true); ++ newSession = true; ++ } + Session session; + if (System.getSecurityManager() == null) { + session = httpSession.getSession(); + } else { + session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession)); + } ++ if (newSession) { ++ int originalMaxInactiveInterval = session.getMaxInactiveInterval(); ++ if (originalMaxInactiveInterval > authenticationSessionTimeout) { ++ session.setAttribute(ORIGINAL_SESSION_TIMEOUT, session.getMaxInactiveInterval()); ++ session.setMaxInactiveInterval(authenticationSessionTimeout); ++ } ++ } + session.setAttribute(SESSION_KEY, RedirectBuilder.redirect(exchange, exchange.getRelativePath())); + SavedRequest.trySaveRequest(exchange); + } +@@ -143,6 +157,10 @@ public class ServletFormAuthenticationMechanism extends FormAuthenticationMechan + } else { + session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession)); + } ++ Integer originalSessionTimeout = (Integer) session.removeAttribute(ORIGINAL_SESSION_TIMEOUT); ++ if (originalSessionTimeout != null) { ++ session.setMaxInactiveInterval(originalSessionTimeout); ++ } + String path = (String) session.getAttribute(SESSION_KEY); + if (path != null) { + try { +-- +2.46.2 + diff --git a/CVE-2023-5379.patch b/CVE-2023-5379.patch new file mode 100644 index 0000000000000000000000000000000000000000..49c4b8848b6ac58f2a809904fe4271ebf1654896 --- /dev/null +++ b/CVE-2023-5379.patch @@ -0,0 +1,36 @@ +From b0732610112cb2066b5e43a47a11008edfacee02 Mon Sep 17 00:00:00 2001 +From: Flavia Rainone +Date: Thu, 8 Jun 2023 01:22:47 -0300 +Subject: [PATCH] [UNDERTOW-2280] CVE-2023-5379 At AjpReadListener, do not + close the connection if read is larger than maxRequestSize + +Signed-off-by: Flavia Rainone + +Origin: +https://github.com/undertow-io/undertow/commit/b422fdf0f2a5a051a9cd1664ead8277e421a0083 +--- + .../java/io/undertow/server/protocol/ajp/AjpReadListener.java | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/core/src/main/java/io/undertow/server/protocol/ajp/AjpReadListener.java b/core/src/main/java/io/undertow/server/protocol/ajp/AjpReadListener.java +index 8f9c94abb0..a9631b3717 100644 +--- a/core/src/main/java/io/undertow/server/protocol/ajp/AjpReadListener.java ++++ b/core/src/main/java/io/undertow/server/protocol/ajp/AjpReadListener.java +@@ -19,6 +19,7 @@ + package io.undertow.server.protocol.ajp; + + import io.undertow.UndertowLogger; ++import io.undertow.UndertowMessages; + import io.undertow.UndertowOptions; + import io.undertow.conduits.ConduitListener; + import io.undertow.conduits.EmptyStreamSourceConduit; +@@ -165,8 +166,7 @@ public void handleEvent(final StreamSourceChannel channel) { + } + if (read > maxRequestSize) { + UndertowLogger.REQUEST_LOGGER.requestHeaderWasTooLarge(connection.getPeerAddress(), maxRequestSize); +- safeClose(connection); +- return; ++ throw UndertowMessages.MESSAGES.badRequest(); + } + } while (!state.isComplete()); + diff --git a/undertow.spec b/undertow.spec index 9cd92c93f19c566675ea04f596f891b6f6c6c574..bf7c759f0022e08c92842f80e375fe0b64b8f404 100644 --- a/undertow.spec +++ b/undertow.spec @@ -2,7 +2,7 @@ %global namedversion %{version}%{?namedreltag} Name: undertow Version: 1.4.0 -Release: 7 +Release: 8 Summary: Java web server using non-blocking IO License: ASL 2.0 URL: http://undertow.io/ @@ -13,6 +13,9 @@ Patch1: CVE-2020-10705.patch Patch2: CVE-2019-3888.patch Patch3: CVE-2020-10719.patch Patch4: CVE-2023-1108.patch +Patch5: CVE-2021-3690.patch +Patch6: CVE-2023-1973.patch +Patch7: CVE-2023-5379.patch BuildArch: noarch Epoch: 1 BuildRequires: maven-local mvn(junit:junit) mvn(org.eclipse.jetty.alpn:alpn-api) @@ -37,12 +40,7 @@ Summary: Javadoc for %{name} This package contains the API documentation for %{name}. %prep -%setup -q -n %{name}-%{namedversion} -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 +%autosetup -n %{name}-%{namedversion} -p1 rm -rf mac-jdk-fix #Remove test cases suspected of containing viruses @@ -79,6 +77,9 @@ export CXXFLAGS="${RPM_OPT_FLAGS}" %license LICENSE.txt %changelog +* Tue Nov 05 2024 yaoxin - 1:1.4.0-8 +- Fix CVE-2021-3690,CVE-2023-1973 and CVE-2023-5379 + * Mon Aug 21 2023 yaoxin - 1:1.4.0-7 - Fix build failure caused by jboss-classfilewriter upgrade to 1.3.0