CVE-2016-2094 – EAP: HTTPS NIO connector uses no timeout when reading SSL handshake from client

https://notcve.org/view.php?id=CVE-2016-2094

The HTTPS NIO Connector allows remote attackers to cause a denial of service (thread consumption) by opening a socket and not sending an SSL handshake, aka a read-timeout vulnerability. El HTTPS NIO Connector permite a atacantes remotos provocar una denegación de servicio (consumo de hilos) abriendo un socket y no enviando un apretón de manos SSL, también conocido como una vulnerabilidad de finalización de tiempo de espera de lectura. A read-timeout flaw was found in the HTTPS NIO Connector handling of SSL handshakes. A remote, unauthenticated attacker could create a socket and cause a thread to remain occupied indefinitely so long as the socket remained open (denial of service). • http://rhn.redhat.com/errata/RHSA-2016-0595.html http://rhn.redhat.com/errata/RHSA-2016-0596.html http://rhn.redhat.com/errata/RHSA-2016-0597.html http://rhn.redhat.com/errata/RHSA-2016-0598.html http://rhn.redhat.com/errata/RHSA-2016-0599.html https://bugzilla.redhat.com/show_bug.cgi?id=1308465 https://access.redhat.com/security/cve/CVE-2016-2094 • CWE-358: Improperly Implemented Security Check for Standard CWE-399: Resource Management Errors •