Fix CVE-2021-3690,CVE-2023-1973 and CVE-2023-5379

(cherry picked from commit 12843fdbc2e6ec08db7d5624ae9b31bd04a29629)

CVE-2021-3690.patch

@@ -0,0 +1,25 @@
+From abbaa6e883e6b4d082f13347e0f8e332097f9554 Mon Sep 17 00:00:00 2001
+From: Andrey Marinchuk <radist.nt@gmail.com>
+Date: Sat, 31 Jul 2021 00:26:57 +0300
+Subject: [PATCH] [UNDERTOW-1935] - buffer leak on incoming websocket PONG
+ message
+
+Origin:
+https://github.com/undertow-io/undertow/commit/97482a5d4114001d45f9b07f1d2893749cdcba8b
+---
+ .../src/main/java/io/undertow/websockets/jsr/FrameHandler.java  | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/websockets-jsr/src/main/java/io/undertow/websockets/jsr/FrameHandler.java b/websockets-jsr/src/main/java/io/undertow/websockets/jsr/FrameHandler.java
+index 12ae5bb38c..a93822587d 100644
+--- a/websockets-jsr/src/main/java/io/undertow/websockets/jsr/FrameHandler.java
++++ b/websockets-jsr/src/main/java/io/undertow/websockets/jsr/FrameHandler.java
+@@ -152,6 +152,8 @@ public void run() {
+                     }
+                 }
+             });
++        } else {
++            bufferedBinaryMessage.getData().free();
+         }
+     }
+ 

CVE-2023-1973.patch

@@ -0,0 +1,131 @@
+From 0410f3c4d9b39b754a2203a29834cac51da11258 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Richard=20Op=C3=A1lka?= <opalka.richard@gmail.com>
+Date: Fri, 19 Jan 2024 19:52:31 +0100
+Subject: [PATCH] [UNDERTOW-2264] CVE-2023-1973 Force session timeout to 2
+ minutes when session was created during the authentication phase. Once
+ authentication is complete restore original (configured) session timeout.
+
+Signed-off-by: Flavia Rainone <frainone@redhat.com>
+
+Origin:
+https://github.com/undertow-io/undertow/commit/0410f3c4d9b39b754a2203a29834cac51da11258
+---
+ .../impl/FormAuthenticationMechanism.java     | 28 +++++++++++++++++--
+ .../ServletFormAuthenticationMechanism.java   | 20 ++++++++++++-
+ 2 files changed, 44 insertions(+), 4 deletions(-)
+
+diff --git a/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java b/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java
+index 22f95a6..5e6981e 100644
+--- a/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java
++++ b/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java
+@@ -45,9 +45,8 @@ import static io.undertow.UndertowMessages.MESSAGES;
+ public class FormAuthenticationMechanism implements AuthenticationMechanism {
+ 
+     public static final String LOCATION_ATTRIBUTE = FormAuthenticationMechanism.class.getName() + ".LOCATION";
+-
+     public static final String DEFAULT_POST_LOCATION = "/j_security_check";
+-
++    protected static final String ORIGINAL_SESSION_TIMEOUT = "io.undertow.servlet.form.auth.orig.session.timeout";;
+     private final String name;
+     private final String loginPage;
+     private final String errorPage;
+@@ -55,6 +54,13 @@ public class FormAuthenticationMechanism implements AuthenticationMechanism {
+     private final FormParserFactory formParserFactory;
+     private final IdentityManager identityManager;
+ 
++    /**
++     * If the authentication process creates a session, this is the maximum session timeout (in seconds) during the
++     * authentication process. Once authentication is complete, the default session timeout will apply. Sessions that
++     * exist before the authentication process starts will retain their original session timeout throughout.
++     */
++    protected final int authenticationSessionTimeout = 120;
++
+     public FormAuthenticationMechanism(final String name, final String loginPage, final String errorPage) {
+         this(FormParserFactory.builder().build(), name, loginPage, errorPage);
+     }
+@@ -144,6 +150,10 @@ public class FormAuthenticationMechanism implements AuthenticationMechanism {
+     protected void handleRedirectBack(final HttpServerExchange exchange) {
+         final Session session = Sessions.getSession(exchange);
+         if (session != null) {
++            final Integer originalSessionTimeout = (Integer) session.removeAttribute(ORIGINAL_SESSION_TIMEOUT);
++            if (originalSessionTimeout != null) {
++                session.setMaxInactiveInterval(originalSessionTimeout);
++            }
+             final String location = (String) session.removeAttribute(LOCATION_ATTRIBUTE);
+             if(location != null) {
+                 exchange.addDefaultResponseListener(new DefaultResponseListener() {
+@@ -179,7 +189,19 @@ public class FormAuthenticationMechanism implements AuthenticationMechanism {
+     }
+ 
+     protected void storeInitialLocation(final HttpServerExchange exchange) {
+-        Session session = Sessions.getOrCreateSession(exchange);
++        Session session = Sessions.getSession(exchange);
++        boolean newSession = false;
++        if (session == null) {
++            session = Sessions.getOrCreateSession(exchange);
++            newSession = true;
++        }
++        if (newSession) {
++            int originalMaxInactiveInterval = session.getMaxInactiveInterval();
++            if (originalMaxInactiveInterval > authenticationSessionTimeout) {
++                session.setAttribute(ORIGINAL_SESSION_TIMEOUT, session.getMaxInactiveInterval());
++                session.setMaxInactiveInterval(authenticationSessionTimeout);
++            }
++        }
+         session.setAttribute(LOCATION_ATTRIBUTE, RedirectBuilder.redirect(exchange, exchange.getRelativePath()));
+     }
+ 
+diff --git a/servlet/src/main/java/io/undertow/servlet/handlers/security/ServletFormAuthenticationMechanism.java b/servlet/src/main/java/io/undertow/servlet/handlers/security/ServletFormAuthenticationMechanism.java
+index 9c5c704..51a0b68 100644
+--- a/servlet/src/main/java/io/undertow/servlet/handlers/security/ServletFormAuthenticationMechanism.java
++++ b/servlet/src/main/java/io/undertow/servlet/handlers/security/ServletFormAuthenticationMechanism.java
+@@ -30,6 +30,7 @@ import io.undertow.server.session.Session;
+ import io.undertow.servlet.handlers.ServletRequestContext;
+ import io.undertow.servlet.spec.HttpSessionImpl;
+ import io.undertow.servlet.util.SavedRequest;
++import io.undertow.servlet.spec.ServletContextImpl;
+ import io.undertow.util.Headers;
+ import io.undertow.util.RedirectBuilder;
+ 
+@@ -120,13 +121,26 @@ public class ServletFormAuthenticationMechanism extends FormAuthenticationMechan
+             return;
+         }
+         final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
+-        HttpSessionImpl httpSession = servletRequestContext.getCurrentServletContext().getSession(exchange, true);
++        final ServletContextImpl servletContextImpl =  servletRequestContext.getCurrentServletContext();
++        HttpSessionImpl httpSession = servletContextImpl.getSession(exchange, false);
++        boolean newSession = false;
++        if (httpSession == null) {
++            httpSession = servletContextImpl.getSession(exchange, true);
++            newSession = true;
++        }
+         Session session;
+         if (System.getSecurityManager() == null) {
+             session = httpSession.getSession();
+         } else {
+             session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
+         }
++        if (newSession) {
++            int originalMaxInactiveInterval = session.getMaxInactiveInterval();
++            if (originalMaxInactiveInterval > authenticationSessionTimeout) {
++                session.setAttribute(ORIGINAL_SESSION_TIMEOUT, session.getMaxInactiveInterval());
++                session.setMaxInactiveInterval(authenticationSessionTimeout);
++            }
++        }
+         session.setAttribute(SESSION_KEY, RedirectBuilder.redirect(exchange, exchange.getRelativePath()));
+         SavedRequest.trySaveRequest(exchange);
+     }
+@@ -143,6 +157,10 @@ public class ServletFormAuthenticationMechanism extends FormAuthenticationMechan
+             } else {
+                 session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
+             }
++            Integer originalSessionTimeout = (Integer) session.removeAttribute(ORIGINAL_SESSION_TIMEOUT);
++            if (originalSessionTimeout != null) {
++                session.setMaxInactiveInterval(originalSessionTimeout);
++            }
+             String path = (String) session.getAttribute(SESSION_KEY);
+             if (path != null) {
+                 try {
+-- 
+2.46.2
+

CVE-2023-5379.patch

@@ -0,0 +1,36 @@
+From b0732610112cb2066b5e43a47a11008edfacee02 Mon Sep 17 00:00:00 2001
+From: Flavia Rainone <frainone@redhat.com>
+Date: Thu, 8 Jun 2023 01:22:47 -0300
+Subject: [PATCH] [UNDERTOW-2280] CVE-2023-5379 At AjpReadListener, do not
+ close the connection if read is larger than maxRequestSize
+
+Signed-off-by: Flavia Rainone <frainone@redhat.com>
+
+Origin:
+https://github.com/undertow-io/undertow/commit/b422fdf0f2a5a051a9cd1664ead8277e421a0083
+---
+ .../java/io/undertow/server/protocol/ajp/AjpReadListener.java | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/core/src/main/java/io/undertow/server/protocol/ajp/AjpReadListener.java b/core/src/main/java/io/undertow/server/protocol/ajp/AjpReadListener.java
+index 8f9c94abb0..a9631b3717 100644
+--- a/core/src/main/java/io/undertow/server/protocol/ajp/AjpReadListener.java
++++ b/core/src/main/java/io/undertow/server/protocol/ajp/AjpReadListener.java
+@@ -19,6 +19,7 @@
+ package io.undertow.server.protocol.ajp;
+ 
+ import io.undertow.UndertowLogger;
++import io.undertow.UndertowMessages;
+ import io.undertow.UndertowOptions;
+ import io.undertow.conduits.ConduitListener;
+ import io.undertow.conduits.EmptyStreamSourceConduit;
+@@ -165,8 +166,7 @@ public void handleEvent(final StreamSourceChannel channel) {
+                 }
+                 if (read > maxRequestSize) {
+                     UndertowLogger.REQUEST_LOGGER.requestHeaderWasTooLarge(connection.getPeerAddress(), maxRequestSize);
+-                    safeClose(connection);
+-                    return;
++                    throw UndertowMessages.MESSAGES.badRequest();
+                 }
+             } while (!state.isComplete());
+ 

undertow.spec

@@ -2,7 +2,7 @@
 %global namedversion %{version}%{?namedreltag}
 Name:                undertow
 Version:             1.4.0
-Release:             7
+Release:             8
 Summary:             Java web server using non-blocking IO
 License:             ASL 2.0
 URL:                 http://undertow.io/
@@ -13,6 +13,9 @@ Patch1:		     CVE-2020-10705.patch
 Patch2:              CVE-2019-3888.patch
 Patch3:              CVE-2020-10719.patch
 Patch4:              CVE-2023-1108.patch
+Patch5:              CVE-2021-3690.patch
+Patch6:              CVE-2023-1973.patch
+Patch7:              CVE-2023-5379.patch
 BuildArch:           noarch
 Epoch:               1
 BuildRequires:       maven-local mvn(junit:junit) mvn(org.eclipse.jetty.alpn:alpn-api)
@@ -37,12 +40,7 @@ Summary:             Javadoc for %{name}
 This package contains the API documentation for %{name}.
 
 %prep
-%setup -q -n %{name}-%{namedversion}
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
+%autosetup -n %{name}-%{namedversion} -p1
 rm -rf mac-jdk-fix
 
 #Remove test cases suspected of containing viruses 
@@ -79,6 +77,9 @@ export CXXFLAGS="${RPM_OPT_FLAGS}"
 %license LICENSE.txt
 
 %changelog
+* Tue Nov 05 2024 yaoxin <yao_xin001@hoperun.com> - 1:1.4.0-8
+- Fix CVE-2021-3690,CVE-2023-1973 and CVE-2023-5379
+
 * Mon Aug 21 2023 yaoxin <yao_xin001@hoperun.com> - 1:1.4.0-7
 - Fix build failure caused by jboss-classfilewriter upgrade to 1.3.0