Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 5.1.0.Final, 5.0.22.Final
Affects Version/s: None
Labels:
None

Release Note Text:
Undefined
Git Pull Request:
https://github.com/jboss-remoting/jboss-remoting/pull/249, https://github.com/jboss-remoting/jboss-remoting/pull/250, https://github.com/jboss-remoting/jboss-remoting/pull/251

A flaw was found in JBoss Remoting. When a malicious attacker could cause threads holding up forever in the EJB server by writing a sequence of bytes corresponding to the expected messages of a successful EJB client request, but omitting the ack messages, or just tamper with jboss-remoting code, deleting the lines that send the ack message from the EJB client code resulting in a denial of service. The highest threat from this vulnerability is to system availability.

CVE Info: https://access.redhat.com/security/cve/cve-2020-35510

causes

REM3-387 IOException with message ack timeout expired before timeout has elapsed

Resolved

is incorporated by

JBEAP-21961 [GSS](7.4.z) Upgrade remoting from 5.0.20.SP1-redhat-00001 to 5.0.23.SP1-redhat-00001

Closed

WFCORE-5423 Upgrade remoting from 5.0.21.Final to 5.0.23.Final (fixes CVE-2020-35510)

Closed

is related to

REM3-388 Move ACK_TIMEOUT to nanoseconds

Resolved

links to

JBoss Remoting Github Issue #271

Assignee:: Flavia Rainone

Reporter:: Flavia Rainone

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2021/05/21 2:22 AM

Updated:: 2022/10/05 6:23 PM

Resolved:: 2021/05/21 11:17 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates