CVE-2022-2764 in Undertow
Summary
by MITRE • 09/02/2022
A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/27/2026
The vulnerability identified as CVE-2022-2764 resides within the Undertow web server implementation, specifically affecting how the server handles EJB (Enterprise JavaBeans) invocations. This flaw represents a denial of service condition that occurs when the Undertow server enters an indefinite waiting state for what should be the final chunk of data in an HTTP request. The issue manifests during EJB remote method invocations where the server fails to properly terminate the request processing loop, leading to resource exhaustion and service unavailability. This behavior creates a persistent state where the server thread remains blocked indefinitely, preventing it from processing subsequent requests and effectively rendering the service non-responsive to legitimate client traffic.
The technical root cause of this vulnerability stems from improper handling of HTTP chunked transfer encoding within the Undertow server's EJB invocation pathway. When an EJB method is invoked through the Undertow server, the server expects to receive a complete HTTP request with proper chunk termination markers. However, the flaw occurs in the server's request parsing logic where it waits indefinitely for the LAST_CHUNK marker that should signal the end of the chunked data stream. This condition is particularly problematic because it affects the core request processing mechanism of the web server, creating a scenario where a single malformed or malicious request can cause the entire server to become unresponsive. The vulnerability is classified under CWE-400 as an Uncontrolled Resource Consumption vulnerability, where the server's resources are consumed indefinitely without proper termination conditions.
From an operational perspective, this vulnerability presents a significant risk to applications relying on Undertow as their web server implementation, particularly those that handle EJB invocations. The impact extends beyond simple service disruption as the affected server threads become permanently blocked, leading to progressive degradation of service availability. Attackers could exploit this vulnerability by sending specially crafted HTTP requests that trigger the indefinite waiting state, causing the server to exhaust its thread pool resources and prevent legitimate requests from being processed. This makes the vulnerability particularly dangerous in high-traffic environments where thread exhaustion can cascade into complete service outages. The flaw affects the availability aspect of the CIA triad and represents a direct threat to system reliability and business continuity.
Mitigation strategies for CVE-2022-2764 should focus on immediate patching of Undertow server components to address the improper chunked transfer encoding handling. Organizations should implement request timeout mechanisms and resource limits to prevent indefinite waiting states from consuming server resources. Network-level protections such as rate limiting and connection pooling restrictions can help contain the impact of potential exploitation attempts. Additionally, monitoring systems should be configured to detect unusual patterns of thread blocking and resource consumption that may indicate exploitation of this vulnerability. The remediation approach aligns with ATT&CK technique T1499.004 for resource exhaustion attacks, where defenders must implement controls to prevent the exploitation of resource consumption vulnerabilities. Regular security assessments and vulnerability scanning should be conducted to identify similar issues in other web server components and ensure comprehensive protection against denial of service attacks targeting HTTP request processing mechanisms.