1. What is this vulnerability and why does it matter?

This vulnerability, identified as CVE-2024-1635, affects servers utilizing Undertow that support the wildfly-http-client protocol. It is a resource exhaustion vulnerability where a malicious actor can open and immediately close connections to the server's HTTP port. This action leads to a leak in connections and associated resources, specifically in the WriteTimeoutStreamSinkConduit, ultimately causing the server to exhaust both memory and open file limits. This matters significantly because resource exhaustion can lead to a denial-of-service (DoS) condition, rendering the affected server unresponsive and unavailable to legitimate users.

2. What are the CVSS score, severity level, and disclosure details?

The CVSS score for CVE-2024-1635 is 7.5. This score generally indicates a High severity level. The vulnerability was publicly disclosed and published on February 19, 2024, at 21:23:14 UTC, and last modified on March 17, 2026, at 20:16:47 UTC.

3. Which products, vendors, systems, and versions are affected?

This vulnerability primarily affects servers that use Undertow and support the wildfly-http-client protocol. Specifically, it impacts the Undertow component where an HTTP upgrade to remoting occurs. The provided CVE data does not specify exact affected versions of Undertow or related products, but it is implied to be present in versions where the described connection handling and timeout task mechanisms are in place.

4. What is the technical root cause and attack vector?

The technical root cause lies in how Undertow handles connection closures during an HTTP upgrade to remoting when the RemotingConnection is closed by the Remoting ServerConnectionOpenListener. Specifically, the WriteTimeoutStreamSinkConduit leaks connections because it is not properly notified of the closed connection in this scenario. When the remoting connection, which originates in Undertow as part of the HTTP upgrade, is closed externally, the outermost layer (Undertow's conduit) remains unaware. This results in the WriteTimeoutStreamSinkConduit creating a timeout task that maintains a reference to the leaked connection's dependency tree, which is then added to an XNIO WorkerThread. Consequently, the worker thread points to the Undertow conduit, holding onto the connections and causing the resource leak. The attack vector involves a malicious user repeatedly opening and immediately closing connections with the server's HTTP port.

5. How can this vulnerability be exploited?

This vulnerability can be exploited by a malicious user repeatedly performing the following actions:

1. Initiating a connection to the server's HTTP port.
2. Triggering an HTTP upgrade to the wildfly-http-client protocol, which involves the remoting connection.
3. Immediately closing the connection before the server's internal mechanisms can properly deallocate resources associated with the WriteTimeoutStreamSinkConduit and its timeout task.

By performing these steps in quick succession or in a sustained manner, the attacker can cause a continuous leak of memory and file descriptors, eventually leading to the exhaustion of server resources and a denial-of-service condition.

6. What mitigation steps and patches are available?

The provided CVE data does not explicitly state specific mitigation steps or available patches. Organizations should monitor official advisories from Red Hat, Undertow, or WildFly project maintainers for updates and patches addressing CVE-2024-1635. Typically, patches would involve correcting the logic where the WriteTimeoutStreamSinkConduit is not notified of closed connections, ensuring proper resource deallocation.

7. How can vulnerable systems be detected?

Vulnerable systems can be detected by:

• Identifying servers running Undertow and exposing the wildfly-http-client protocol to untrusted networks.
• Checking the installed versions of Undertow and related WildFly components against vendor advisories.
• Monitoring server resources such as memory utilization and open file descriptor counts. A steady increase in these metrics without corresponding legitimate workload increases, especially after observing numerous short-lived connections to the HTTP port, could indicate an active exploitation attempt or the presence of the vulnerability.
• Reviewing server logs for unusual patterns of connection establishments and immediate terminations, particularly those involving HTTP upgrade requests.

8. What are the indicators of compromise (IOCs)?

Given the nature of this resource exhaustion vulnerability, potential Indicators of Compromise (IOCs) would include:

• Persistent high memory usage on the affected server processes (e.g., WildFly, Undertow).
• Consistent increase in open file descriptor count until exhaustion, leading to errors.
• Server unresponsiveness or sluggish performance (e.g., slow HTTP response times, failed connections).
• System logs showing errors related to "out of memory" or "too many open files".
• Network traffic analysis revealing an unusually high rate of connection establishments followed by immediate terminations to the HTTP port.
• Error messages in application logs indicating connection handling failures related to the Undertow or remoting components.

9. Which threat actors are known to exploit this vulnerability?

The provided CVE data does not specify any known threat actors or groups that are actively exploiting CVE-2024-1635. This type of vulnerability, however, is typically exploited by opportunistic attackers seeking to disrupt services or by competitors engaged in denial-of-service attacks.

10. What public intelligence references and advisories exist?

The primary public intelligence reference for this vulnerability is its CVE identifier: CVE-2024-1635. Additional advisories and detailed information would typically be published by the vendors (e.g., Red Hat, WildFly community) on their security portals and mailing lists, which should be consulted for the latest updates, patches, and specific product versions affected.

11. What is the risk assessment and urgency level?

The risk assessment for CVE-2024-1635 is considered High, primarily due to its CVSS score of 7.5 and the potential for a complete denial-of-service. An attacker can easily exploit this vulnerability remotely without authentication, simply by opening and closing connections, leading to severe impact on system availability. The urgency level for addressing this vulnerability is also High, especially for systems running Undertow with the wildfly-http-client protocol that are exposed to untrusted networks or the internet. Immediate action is required to apply patches or implement mitigating controls as soon as they become available to prevent service disruption.