CVE-2024-1635: Uncontrolled Resource Consumption
A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.
AI Analysis
Technical Summary
CVE-2024-1635 is a vulnerability in Undertow 1.31.0 that leads to uncontrolled resource consumption and potential denial of service. The issue arises in the handling of HTTP upgrade connections to the remoting protocol used by wildfly-http-client. Specifically, when a client opens and then immediately closes a connection, the WriteTimeoutStreamSinkConduit component fails to detect the closure due to the layered nature of the connection. This results in a timeout task being scheduled and retained indefinitely in the XNIO WorkerThread, causing a memory leak and accumulation of open file descriptors. Over time, this leak exhausts server resources, leading to degraded performance or server crashes. The vulnerability can be exploited remotely without authentication or user interaction, making it a significant risk for exposed servers. The CVSS v3.1 score of 7.5 reflects the high impact on availability with no impact on confidentiality or integrity. No known exploits are currently reported in the wild, but the vulnerability's nature makes it a candidate for denial-of-service attacks. The affected version is specifically Undertow 1.31.0, commonly used in Java-based enterprise environments and middleware stacks such as WildFly application servers.
Potential Impact
The primary impact of CVE-2024-1635 is denial of service through resource exhaustion. By repeatedly opening and closing connections, an attacker can cause the server to consume excessive memory and file descriptors, eventually leading to server instability or crashes. This disrupts availability of applications relying on Undertow, potentially causing downtime and loss of service continuity. Organizations with critical services running on affected Undertow versions may face operational disruptions, customer dissatisfaction, and financial losses. The vulnerability does not affect confidentiality or integrity but poses a significant risk to service availability, especially in environments exposed to untrusted networks. The ease of remote exploitation without authentication increases the threat level, making it attractive for attackers aiming to disrupt services. Large-scale or automated attacks could amplify the impact, affecting multiple servers or services simultaneously.
Mitigation Recommendations
To mitigate CVE-2024-1635, organizations should prioritize upgrading Undertow to a patched version once available from the vendor or applying official patches. In the absence of patches, implement network-level controls such as rate limiting and connection throttling on the HTTP ports to reduce the risk of rapid connection open/close cycles. Monitor server resource usage closely, including memory consumption and open file descriptors, to detect early signs of exploitation. Employ Web Application Firewalls (WAFs) or intrusion prevention systems (IPS) that can identify and block suspicious connection patterns. Review and harden server configurations to limit the number of concurrent connections and timeouts. Additionally, isolate critical services behind load balancers or reverse proxies that can absorb or filter malicious traffic. Regularly audit and update middleware components to reduce exposure to similar vulnerabilities.
Affected Countries
United States, Germany, India, Japan, Brazil, United Kingdom, France, Canada, Australia, South Korea
CVE-2024-1635: Uncontrolled Resource Consumption
Description
A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-1635 is a vulnerability in Undertow 1.31.0 that leads to uncontrolled resource consumption and potential denial of service. The issue arises in the handling of HTTP upgrade connections to the remoting protocol used by wildfly-http-client. Specifically, when a client opens and then immediately closes a connection, the WriteTimeoutStreamSinkConduit component fails to detect the closure due to the layered nature of the connection. This results in a timeout task being scheduled and retained indefinitely in the XNIO WorkerThread, causing a memory leak and accumulation of open file descriptors. Over time, this leak exhausts server resources, leading to degraded performance or server crashes. The vulnerability can be exploited remotely without authentication or user interaction, making it a significant risk for exposed servers. The CVSS v3.1 score of 7.5 reflects the high impact on availability with no impact on confidentiality or integrity. No known exploits are currently reported in the wild, but the vulnerability's nature makes it a candidate for denial-of-service attacks. The affected version is specifically Undertow 1.31.0, commonly used in Java-based enterprise environments and middleware stacks such as WildFly application servers.
Potential Impact
The primary impact of CVE-2024-1635 is denial of service through resource exhaustion. By repeatedly opening and closing connections, an attacker can cause the server to consume excessive memory and file descriptors, eventually leading to server instability or crashes. This disrupts availability of applications relying on Undertow, potentially causing downtime and loss of service continuity. Organizations with critical services running on affected Undertow versions may face operational disruptions, customer dissatisfaction, and financial losses. The vulnerability does not affect confidentiality or integrity but poses a significant risk to service availability, especially in environments exposed to untrusted networks. The ease of remote exploitation without authentication increases the threat level, making it attractive for attackers aiming to disrupt services. Large-scale or automated attacks could amplify the impact, affecting multiple servers or services simultaneously.
Mitigation Recommendations
To mitigate CVE-2024-1635, organizations should prioritize upgrading Undertow to a patched version once available from the vendor or applying official patches. In the absence of patches, implement network-level controls such as rate limiting and connection throttling on the HTTP ports to reduce the risk of rapid connection open/close cycles. Monitor server resource usage closely, including memory consumption and open file descriptors, to detect early signs of exploitation. Employ Web Application Firewalls (WAFs) or intrusion prevention systems (IPS) that can identify and block suspicious connection patterns. Review and harden server configurations to limit the number of concurrent connections and timeouts. Additionally, isolate critical services behind load balancers or reverse proxies that can absorb or filter malicious traffic. Regularly audit and update middleware components to reduce exposure to similar vulnerabilities.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- redhat
- Date Reserved
- 2024-02-19T17:25:58.418Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d983ec4522896dcbefa69
Added to database: 5/21/2025, 9:09:18 AM
Last enriched: 3/18/2026, 6:30:35 PM
Last updated: 3/25/2026, 2:54:53 AM
Views: 81
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.