Описание
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
Отчет
This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a Denial of Service (DoS). While some DoS flaws are classified as Moderate, “MadeYouReset” is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation, which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling — malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Apache Camel for Spring Boot 4 | undertow-core | Affected | ||
| Red Hat build of Apache Camel - HawtIO 4 | undertow-core | Not affected | ||
| Red Hat Data Grid 8 | undertow-core | Will not fix | ||
| Red Hat Enterprise Linux 10 | moditect | Not affected | ||
| Red Hat Enterprise Linux 8 | pki-core:10.6/resteasy | Affected | ||
| Red Hat Enterprise Linux 8 | pki-deps:10.6/resteasy | Affected | ||
| Red Hat Enterprise Linux 9 | resteasy | Affected | ||
| Red Hat Fuse 7 | undertow-core | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 7 | undertow-core | Affected | ||
| Red Hat JBoss Enterprise Application Platform 8 | org.jberet-jberet-parent | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
A flaw was found in Undertow where malformed client requests can trigg ...
EPSS
7.5 High
CVSS3