CVE-2024-1635 Overview
A resource exhaustion vulnerability was discovered in Undertow affecting servers that support the wildfly-http-client protocol. When a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will exhaust both memory and open file limits, depending on the amount of available memory.
The vulnerability occurs during HTTP upgrade to remoting, where the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by the Remoting ServerConnectionOpenListener. Since the remoting connection originates in Undertow as part of the HTTP upgrade process, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing during the connection opening procedure, leaving WriteTimeoutStreamSinkConduit unnotified of the closed connection. Because WriteTimeoutStreamSinkConduit creates a timeout task, the entire dependency tree leaks via that task, which is added to the XNIO WorkerThread.
Critical Impact
Attackers can cause denial of service by exhausting server memory and file descriptor limits through repeated connection manipulation, potentially bringing down critical enterprise infrastructure components.
Affected Products
- NetApp Active IQ Unified Manager (Linux, VMware vSphere, Windows)
- NetApp OnCommand Workflow Automation
- Red Hat JBoss Enterprise Application Platform 7.4
- Red Hat OpenShift Container Platform 4.11 and 4.12
- Red Hat OpenShift Container Platform for LinuxONE 4.9 and 4.10
- Red Hat OpenShift Container Platform for Power 4.9 and 4.10
- Red Hat Single Sign-On 7.6
- Red Hat Fuse 1.0
- Red Hat Integration Camel for Spring Boot
Discovery Timeline
- February 19, 2024 - CVE-2024-1635 published to NVD
- June 25, 2025 - Last updated in NVD database
Technical Details for CVE-2024-1635
Vulnerability Analysis
This vulnerability (CWE-400: Uncontrolled Resource Consumption) allows attackers to trigger a denial of service condition in Undertow-based servers. The flaw resides in the connection handling logic during HTTP upgrade to remoting protocols.
When a client establishes and immediately terminates a connection during the HTTP upgrade handshake, the server's connection cleanup mechanism fails to properly notify all involved components. The WriteTimeoutStreamSinkConduit component maintains a reference to the connection object and creates a timeout task that gets registered with the XNIO WorkerThread. Since the conduit is never notified of the connection closure, this timeout task persists, holding references to the connection objects and preventing garbage collection.
Repeated exploitation of this behavior causes cumulative resource leaks, eventually exhausting available memory and file descriptors. This makes the vulnerability particularly dangerous in high-availability environments where connection reliability is critical.
Root Cause
The root cause lies in the layered connection architecture during HTTP upgrade operations. The remoting connection, which originates within Undertow's HTTP handling, operates as an inner layer unaware of the outermost connection layer. When the RemotingConnection is closed by the ServerConnectionOpenListener during the connection opening procedure, only the inner layer is notified. The outer Undertow layer, specifically the WriteTimeoutStreamSinkConduit, never receives the closure notification. This design flaw means the timeout task created by the conduit continues to hold references to connection objects, and these references are added to the XNIO WorkerThread queue, causing the entire dependency tree to leak.
Attack Vector
The attack can be executed remotely over the network without authentication. An attacker needs only to establish TCP connections to the HTTP port of a vulnerable server and immediately close them during the HTTP upgrade handshake. By automating this process and executing it repeatedly, an attacker can systematically exhaust server resources.
The attack pattern involves:
- Initiating a TCP connection to the server's HTTP port
- Beginning the HTTP upgrade handshake to the wildfly-http-client protocol
- Immediately closing the connection before the upgrade completes
- Repeating this process to accumulate leaked resources until the server becomes unresponsive
This attack requires no authentication and can be executed by any network-accessible client, making it a significant threat to internet-facing deployments.
Detection Methods for CVE-2024-1635
Indicators of Compromise
- Gradual increase in server memory consumption without corresponding legitimate traffic increase
- File descriptor exhaustion warnings in system logs or application logs
- Unusual patterns of rapidly opened and closed HTTP connections in network logs
- XNIO worker thread pool growth or abnormal thread behavior
Detection Strategies
- Monitor system-level file descriptor usage using tools like lsof or /proc/sys/fs/file-nr on Linux systems
- Implement connection rate limiting and track connection duration patterns to identify anomalous short-lived connections
- Configure JVM monitoring to track heap growth and garbage collection patterns that may indicate memory leaks
- Review Undertow and JBoss EAP application logs for connection handling errors or timeout-related warnings
Monitoring Recommendations
- Deploy network intrusion detection rules to alert on high volumes of short-lived HTTP connections from single sources
- Establish baseline metrics for memory and file descriptor usage, alerting on deviations beyond normal operational thresholds
- Enable detailed logging for the Undertow subsystem to capture connection lifecycle events for forensic analysis
How to Mitigate CVE-2024-1635
Immediate Actions Required
- Apply vendor-supplied patches immediately to all affected Undertow and JBoss EAP deployments
- Implement connection rate limiting at the network or load balancer level to reduce the impact of exploitation attempts
- Monitor server resource utilization closely and configure automatic service restarts if resource thresholds are exceeded
- Review firewall rules to restrict access to HTTP management ports to trusted networks only
Patch Information
Red Hat has released multiple security advisories addressing this vulnerability. Administrators should apply the appropriate patches based on their deployment:
- Red Hat Security Advisory RHSA-2024:1674
- Red Hat Security Advisory RHSA-2024:1675
- Red Hat Security Advisory RHSA-2024:1676
- Red Hat Security Advisory RHSA-2024:1677
- Red Hat Security Advisory RHSA-2024:1860
- Red Hat Security Advisory RHSA-2024:1861
NetApp customers should refer to the NetApp Security Advisory NTAP-20240322-0007 for guidance on Active IQ Unified Manager and OnCommand Workflow Automation deployments.
For additional technical details and tracking, see Red Hat Bug Report #2264928.
Workarounds
- Deploy a reverse proxy or web application firewall in front of vulnerable servers to filter suspicious connection patterns
- Implement OS-level connection rate limiting using iptables or nftables to throttle rapid connections from single sources
- Configure system-wide file descriptor limits higher than normal to provide buffer time before exhaustion occurs
- Disable the wildfly-http-client protocol upgrade if not required for application functionality
# Example: Rate limit new connections using iptables
# Limit new HTTP connections to 10 per minute per source IP
iptables -A INPUT -p tcp --dport 8080 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 8080 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
# Monitor file descriptor usage
watch -n 5 'cat /proc/sys/fs/file-nr'
# Increase file descriptor limits in /etc/security/limits.conf
# undertow_user soft nofile 65536
# undertow_user hard nofile 65536
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
