CVE-2024-6162

Undertow: url-encoded request path information can be broken on ajp-listener

Description

A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.

Remediation

Workaround:

  • To mitigate this issue, you can either switch to a different listener like the http-listener, or adjust the AJP listener configuration. By setting decode-url="false" on the AJP listener and configuring a separate URL decoding filter, you can prevent the path decoding errors. This adjustment ensures that each request is processed correctly without interference from concurrent requests.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 7.85% Top 10%
Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com
Affected: Red Hat EAP 8.0.1
Affected: Red Hat Red Hat build of Apache Camel 4.4.1 for Spring Boot
Affected: Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack
Affected: Red Hat Red Hat build of Apache Camel for Spring Boot 3
Affected: Red Hat Red Hat build of Apache Camel - HawtIO 4
Affected: Red Hat Red Hat Build of Keycloak
Affected: Red Hat Red Hat Data Grid 8
Affected: Red Hat Red Hat Fuse 7
Affected: Red Hat Red Hat Integration Camel K 1
Affected: Red Hat Red Hat JBoss Data Grid 7
Affected: Red Hat Red Hat JBoss Enterprise Application Platform 7
Affected: Red Hat Red Hat JBoss Enterprise Application Platform 8
Affected: Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack
Affected: Red Hat Red Hat Process Automation 7
Affected: Red Hat Red Hat Single Sign-On 7
Published at:
Updated at:

References

Link Tags
https://access.redhat.com/errata/RHSA-2024:1194 vendor advisory
https://access.redhat.com/errata/RHSA-2024:4386 vendor advisory
https://access.redhat.com/errata/RHSA-2024:4884 vendor advisory
https://access.redhat.com/security/cve/CVE-2024-6162 vdb entry
https://bugzilla.redhat.com/show_bug.cgi?id=2293069 issue tracking
https://issues.redhat.com/browse/JBEAP-26268
https://security.netapp.com/advisory/ntap-20241129-0009/

Frequently Asked Questions

What is the severity of CVE-2024-6162?
CVE-2024-6162 has been scored as a high severity vulnerability.
How to fix CVE-2024-6162?
As a workaround for remediating CVE-2024-6162: To mitigate this issue, you can either switch to a different listener like the http-listener, or adjust the AJP listener configuration. By setting decode-url="false" on the AJP listener and configuring a separate URL decoding filter, you can prevent the path decoding errors. This adjustment ensures that each request is processed correctly without interference from concurrent requests.
Is CVE-2024-6162 being actively exploited in the wild?
It is possible that CVE-2024-6162 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~8% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-6162?
CVE-2024-6162 affects Red Hat EAP 8.0.1, Red Hat Red Hat build of Apache Camel 4.4.1 for Spring Boot, Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack, Red Hat Red Hat build of Apache Camel for Spring Boot 3, Red Hat Red Hat build of Apache Camel - HawtIO 4, Red Hat Red Hat Build of Keycloak, Red Hat Red Hat Data Grid 8, Red Hat Red Hat Fuse 7, Red Hat Red Hat Integration Camel K 1, Red Hat Red Hat JBoss Data Grid 7, Red Hat Red Hat JBoss Enterprise Application Platform 7, Red Hat Red Hat JBoss Enterprise Application Platform 8, Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack, Red Hat Red Hat Process Automation 7, Red Hat Red Hat Single Sign-On 7.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.