CVE-2018-1114 — Uncontrolled Resource Consumption in Undertow

Description

It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.

How to fix CVE-2018-1114

To remediate CVE-2018-1114, upgrade the affected package to a fixed version below.

Debian/undertow—upgrade to 1.4.25-1 or later
—upgrade to 1.4.25.Final or later

Is CVE-2018-1114 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.4.25-1
from 0, < 1.4.25.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1114
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-1114
WEBaccess.redhat.com/errata/RHSA-2018:2643
WEBaccess.redhat.com/errata/RHSA-2018:2669
WEB