GHSA-cqgj-h8vf-4w59HighCVSS 7.5
Acknowledgement extension out of memory
🔗 CVE IDs covered (1)
📋 Description
Impact
Bad clients that always send a fixed batch value while the server is using the acknowledgement extension can cause the unacknowledged message queue to grow indefinitely, eventually resulting in an OutOfMemoryError.
Such bad clients would always send:
{
"channel": "/meta/connect",
...
"ext": { "ack": 1 }
}
The server would never clear the unacknowledged message queue, and one bad client can cause a server outage.
Patches
5.0.x - https://github.com/cometd/cometd/pull/2168 6.0.x - https://github.com/cometd/cometd/pull/2169 8.0.x - https://github.com/cometd/cometd/pull/2118
Workarounds
Disable the acknowledgement extension.
Resources
https://github.com/cometd/cometd/discussions/2116 https://github.com/cometd/cometd/issues/2117
🎯 Affected products4
- maven/org.cometd.java:cometd-java-server-common:>= 5.0.0, <= 5.0.22
- maven/org.cometd.java:cometd-java-server-common:>= 6.0.0, <= 6.0.18
- maven/org.cometd.java:cometd-java-server-common:>= 7.0.0, <= 7.0.18
- maven/org.cometd.java:cometd-java-server-common:>= 8.0.0, <= 8.0.8
🔗 References (7)
- https://github.com/cometd/cometd/security/advisories/GHSA-cqgj-h8vf-4w59
- https://github.com/cometd/cometd/issues/2117
- https://github.com/cometd/cometd/pull/2118
- https://github.com/cometd/cometd/pull/2168
- https://github.com/cometd/cometd/pull/2169
- https://github.com/cometd/cometd/discussions/2116
- https://github.com/advisories/GHSA-cqgj-h8vf-4w59