Elytron OAuth2IntrospectValidator is vulnerable to Uncontrolled Resource Consumption

Solution In Progress - Updated -

Issue

According to sonatype-2021-0864 Wildfly Elytron is vulnerable to Uncontrolled Resource Consumption.
The openConnection method in OAuth2IntrospectValidator.class does not allow for setting a connection or read timeout for introspection of the token. An attacker can exploit this by attempting to perpetually make a connection, tying up server resources and resulting in a Denial of Service (DoS) condition.

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 7.4.0 GA

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content