CVE-2014-0193

Impact:
Low
Public Date:
2014-05-01
CWE:
CWE-400
Bugzilla:
1092783: CVE-2014-0193 netty: DoS via memory exhaustion during data aggregation
A flaw was found in the WebSocket08FrameDecoder implementation that could allow a remote attacker to trigger an Out Of Memory Exception by issuing a series of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on the server configuration, this could lead to a denial of service.

Find out more about CVE-2014-0193 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 4.3
Base Metrics AV:N/AC:M/Au:N/C:N/I:N/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Portal 6.2 RHSA-2015:1009 2015-05-14
Red Hat JBoss Fuse Service Works 6.0 RHSA-2015:0720 2015-03-24
Red Hat JBoss BPMS 6.0 RHSA-2015:0234 2015-02-17
Red Hat JBoss Enterprise Application Platform 6.3 RHSA-2014:1021 2014-08-06
Red Hat JBoss BRMS 6.0 RHSA-2014:0818 2014-06-30
Red Hat JBoss Data Virtualization 6.0 RHSA-2015:0765 2015-03-31
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (netty) RHSA-2014:1019 2014-08-06
Red Hat JBoss Fuse 6.1 RHSA-2014:1351 2014-10-01
Red Hat JBoss A-MQ 6.1 RHSA-2014:1351 2014-10-01
Red Hat JBoss Data Virtualization 6.1 RHSA-2015:0675 2015-03-11
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (netty) RHSA-2014:1020 2014-08-06
Red Hat JBoss Operations Network 3.2 RHSA-2014:0910 2014-07-21
Red Hat JBoss BRMS 6.0 RHSA-2015:0235 2015-02-17

Affected Packages State

Platform Package State
Red Hat Subscription Asset Manager 1 netty Will not fix
Red Hat Satellite 6 netty Fix deferred
Red Hat JBoss Portal 5 netty Will not fix
Red Hat JBoss Enterprise SOA Platform 5 netty Will not fix
Red Hat JBoss EAP 5 netty Will not fix
Red Hat JBoss Data Grid 6 netty Not affected
Red Hat JBoss BRMS 5 netty Will not fix
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

Acknowledgements

Red Hat would like to thank James Roper of Typesafe for reporting this issue.
Last Modified