CVE-2020-10705 Overview
A memory exhaustion vulnerability was discovered in Red Hat Undertow, a lightweight Java-based web server used as the default web server in WildFly Application Server. The flaw exists in versions prior to Undertow 2.1.1.Final, where specially crafted requests using the Expect: 100-continue HTTP header can trigger an out of memory error condition. This vulnerability can be exploited remotely without authentication to cause a denial of service by exhausting server memory resources.
Critical Impact
Remote attackers can exploit this vulnerability to crash Undertow-based applications by sending malicious HTTP requests with Expect: 100-continue headers, leading to memory exhaustion and service unavailability.
Affected Products
- Red Hat Undertow (versions before 2.1.1.Final)
- Red Hat JBoss Enterprise Application Platform 7.2
- Red Hat OpenShift Application Runtimes
- Red Hat Enterprise Linux 6.0, 7.0, and 8.0
- NetApp OnCommand Insight
Discovery Timeline
- 2020-06-10 - CVE-2020-10705 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-10705
Vulnerability Analysis
This vulnerability is classified as CWE-770: Allocation of Resources Without Limits or Throttling. The flaw resides in how Undertow processes HTTP requests containing the Expect: 100-continue header. When a client sends a request with this header, it signals that the client intends to send a request body and wants the server to confirm it can accept the body before transmission.
In vulnerable versions of Undertow, improper handling of certain malformed or repeated Expect: 100-continue requests causes unbounded memory allocation. An attacker can exploit this behavior by sending a series of crafted requests that force the server to allocate memory without proper limits, eventually exhausting available memory and causing the Java Virtual Machine (JVM) to throw an OutOfMemoryError, effectively crashing the application.
Root Cause
The root cause of this vulnerability stems from insufficient resource management in Undertow's HTTP request processing pipeline. When handling Expect: 100-continue headers, the server fails to enforce proper limits on memory allocation during request processing. This lack of resource throttling allows attackers to trigger excessive memory consumption through specially crafted HTTP requests, leading to resource exhaustion conditions.
Attack Vector
This vulnerability can be exploited remotely over the network without requiring authentication or user interaction. An attacker can target any Undertow-based web application exposed to the network by sending HTTP requests with malicious Expect: 100-continue headers. The attack is relatively straightforward to execute, as it only requires the ability to send HTTP requests to the target server. Multiple requests can amplify the impact, rapidly depleting server memory resources and causing service disruption.
The attack leverages the HTTP/1.1 protocol's Expect: 100-continue mechanism, which is designed for clients to verify server readiness before sending large request bodies. By abusing this mechanism, attackers can force memory allocation without actually transmitting the expected request body data.
Detection Methods for CVE-2020-10705
Indicators of Compromise
- Unusual spikes in memory consumption on Undertow-based application servers
- Increased frequency of HTTP requests containing Expect: 100-continue headers from single sources
- Java OutOfMemoryError exceptions in application logs
- Service restarts or crashes without apparent cause correlating with HTTP traffic spikes
Detection Strategies
- Monitor application server memory usage patterns and alert on abnormal consumption rates
- Implement HTTP request logging and analyze for anomalous Expect: 100-continue header patterns
- Deploy web application firewalls (WAF) with rules to detect and rate-limit suspicious Expect header usage
- Use SentinelOne Singularity Platform to detect resource exhaustion attempts and abnormal process behavior
Monitoring Recommendations
- Configure JVM monitoring to track heap memory usage and garbage collection patterns
- Set up alerts for memory utilization exceeding normal operational thresholds
- Implement centralized logging to correlate HTTP request patterns with server health metrics
- Monitor for repeated connection attempts from single IP addresses targeting application endpoints
How to Mitigate CVE-2020-10705
Immediate Actions Required
- Upgrade Undertow to version 2.1.1.Final or later immediately
- For JBoss EAP deployments, apply the latest security patches from Red Hat
- Implement rate limiting on incoming HTTP requests at the load balancer or reverse proxy level
- Consider temporarily blocking or filtering requests with Expect: 100-continue headers if upgrade is not immediately possible
Patch Information
Red Hat has released security updates to address this vulnerability. Users should upgrade to Undertow version 2.1.1.Final or later to remediate this issue. For enterprise deployments using JBoss Enterprise Application Platform, consult the Red Hat Bug Report #1803241 for specific patch guidance and version information.
NetApp OnCommand Insight users should review the NetApp Security Advisory NTAP-20220210-0014 for applicable patches and mitigation guidance.
Workarounds
- Deploy a reverse proxy or load balancer in front of Undertow to filter or rate-limit Expect: 100-continue requests
- Configure JVM memory limits and implement automatic restart procedures to mitigate impact
- Use network-level access controls to restrict access to Undertow-based services from untrusted networks
- Implement application-level request validation to reject malformed HTTP headers before they reach Undertow
# Example: Configure Nginx as reverse proxy to rate-limit Expect headers
# Add to nginx.conf server block
limit_req_zone $binary_remote_addr zone=expect_limit:10m rate=10r/s;
# In location block
location / {
limit_req zone=expect_limit burst=20 nodelay;
proxy_pass http://undertow_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
