CVE-2020-25689

Description

A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.

CVSS Metrics

• v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
• v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
• v2.0•MEDIUM•Score: 6.8AV:N/AC:L/Au:S/C:N/I:N/A:C

EPSS Trends

Current EPSS score: 0.24%• Percentile: 47%

Techniques & Countermeasures

• CWE-401•Missing Release of Memory after Effective Lifetime

  The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

Affected Systems

• org.wildfly•wildfly-dist

  < 21.0.1

• netapp•active_iq_unified_manager

  na

• netapp•oncommand_insight

  na

• netapp•service_level_manager

  na

• red hat•wildfly-core

  ≤ 21.0.0.Final

• redhat•fuse

  6.0.0

• redhat•jboss_data_grid

  7.0.0

• redhat•jboss_enterprise_application_platform

  7.0.0

• redhat•jboss_fuse

  7.0.0

• redhat•openshift_application_runtimes

  na

• redhat•single_sign-on

  7.0

• redhat•wildfly

  ≤ 21.0.0

References (4)

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689
• https://security.netapp.com/advisory/ntap-20201123-0006/
• https://nvd.nist.gov/vuln/detail/CVE-2020-25689
• https://security.netapp.com/advisory/ntap-20201123-0006