CVE-2020-25644

Description

A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability.

CVSS Metrics

• v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
• v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 0.46%• Percentile: 65%

Techniques & Countermeasures

• CWE-401•Missing Release of Memory after Effective Lifetime

  The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

Affected Systems

• org.wildfly.openssl•wildfly-openssl-natives-parent

  < 1.1.3.Final

• netapp•oncommand_insight

  na

• netapp•oncommand_workflow_automation

  na

• netapp•service_level_manager

  na

• redhat•data_grid

  8.0

• redhat•jboss_data_grid

  7.0.0

• redhat•jboss_enterprise_application_platform

  7.0.0

• redhat•jboss_fuse

  7.0.0

• redhat•openshift_application_runtimes

  na

• redhat•single_sign-on

  7.0

• redhat•wildfly_openssl

  < 1.1.3

References (9)

• https://issues.redhat.com/browse/WFSSL-51
• https://github.com/wildfly-security/wildfly-openssl-natives/pull/4/files
• https://bugzilla.redhat.com/show_bug.cgi?id=1885485
• https://security.netapp.com/advisory/ntap-20201016-0004/
• https://nvd.nist.gov/vuln/detail/CVE-2020-25644
• https://github.com/wildfly-security/wildfly-openssl-natives/pull/4
• https://github.com/wildfly-security/wildfly-openssl-natives/commit/7c26514676f3fb0dee0bcaa7d4680f982372950f
• https://github.com/wildfly-security/wildfly-openssl-natives
• https://security.netapp.com/advisory/ntap-20201016-0004