CVE-2024-8447 - Vulnerability Details - OpenCVE

Description

A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service.

Published: 2025-01-02

Score: 5.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

unaffected

Version	Status	Constraints
`0`	affected	< 7.1.0.Final

Red Hat Red Hat JBoss EAP XP 5.0 Update 2.0 unaffected —

Red Hat Red Hat JBoss Enterprise Application Platform 8 unaffected —

Red Hat

Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

affected

Version	Status	Constraints
`0:800.6.1-1.GA_redhat_00001.1.el8eap`	unaffected	< *

Red Hat

Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

affected

Version	Status	Constraints
`0:4.1.119-1.Final_redhat_00002.1.el8eap`	unaffected	< *

Red Hat

Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

affected

Version	Status	Constraints
`0:4.1.119-1.Final_redhat_00002.1.el8eap`	unaffected	< *

Red Hat

Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

affected

Version	Status	Constraints
`0:2.0.16-2.redhat_00003.1.el8eap`	unaffected	< *

Red Hat

Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

affected

Version	Status	Constraints
`0:8.0.6-15.GA_redhat_00009.1.el8eap`	unaffected	< *

Red Hat

Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

affected

Version	Status	Constraints
`0:800.6.1-1.GA_redhat_00001.1.el9eap`	unaffected	< *

Red Hat

Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

affected

Version	Status	Constraints
`0:4.1.119-1.Final_redhat_00002.1.el9eap`	unaffected	< *

Red Hat

Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

affected

Version	Status	Constraints
`0:4.1.119-1.Final_redhat_00002.1.el9eap`	unaffected	< *

Red Hat

Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

affected

Version	Status	Constraints
`0:2.0.16-2.redhat_00003.1.el9eap`	unaffected	< *

Red Hat

Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

affected

Version	Status	Constraints
`0:8.0.6-15.GA_redhat_00009.1.el9eap`	unaffected	< *

Red Hat Red Hat JBoss Data Grid 7 affected —

Red Hat Red Hat JBoss Enterprise Application Platform 7 unknown —

Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack affected —

No data.

Package	CPE	Advisory	Released Date
Red Hat JBoss EAP XP 5.0 Update 2.0
org.jboss.narayana-narayana-all	cpe:/a:redhat:jboss_enterprise_application_platform:8.0	RHSA-2025:7620	2025-05-14T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8
org.jboss.narayana-narayana-all	cpe:/a:redhat:jboss_enterprise_application_platform:8.0	RHSA-2025:3358	2025-03-27T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
eap8-eap-product-conf-parent-0:800.6.1-1.GA_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:3357	2025-03-27T00:00:00Z
eap8-netty-0:4.1.119-1.Final_redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:3357	2025-03-27T00:00:00Z
eap8-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:3357	2025-03-27T00:00:00Z
eap8-slf4j-0:2.0.16-2.redhat_00003.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:3357	2025-03-27T00:00:00Z
eap8-wildfly-0:8.0.6-15.GA_redhat_00009.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:3357	2025-03-27T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
eap8-eap-product-conf-parent-0:800.6.1-1.GA_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:3357	2025-03-27T00:00:00Z
eap8-netty-0:4.1.119-1.Final_redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:3357	2025-03-27T00:00:00Z
eap8-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:3357	2025-03-27T00:00:00Z
eap8-slf4j-0:2.0.16-2.redhat_00003.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:3357	2025-03-27T00:00:00Z
eap8-wildfly-0:8.0.6-15.GA_redhat_00009.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:3357	2025-03-27T00:00:00Z

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-0041	A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service.
Github GHSA	GHSA-qq9f-q439-2574	Narayana deadlock via multiple join requests sent to LRA Coordinator

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00173.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://access.redhat.com/errata/RHSA-2025:3357
https://access.redhat.com/errata/RHSA-2025:3358
https://access.redhat.com/errata/RHSA-2025:7620
https://access.redhat.com/security/cve/CVE-2024-8447
https://bugzilla.redhat.com/show_bug.cgi?id=2335206
https://github.com/jbosstm/narayana/pull/2293
https://nvd.nist.gov/vuln/detail/CVE-2024-8447
https://www.cve.org/CVERecord?id=CVE-2024-8447

History

Wed, 14 May 2025 22:45:00 +0000

Type	Values Removed	Values Added
References		https://access.redhat.com/errata/RHSA-2025:7620

Thu, 27 Mar 2025 22:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8 cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
References		https://access.redhat.com/errata/RHSA-2025:3357

Thu, 27 Mar 2025 17:30:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:jboss_enterprise_application_platform:8~~	cpe:/a:redhat:jboss_enterprise_application_platform:8.0
References		https://access.redhat.com/errata/RHSA-2025:3358

Thu, 02 Jan 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 02 Jan 2025 20:30:00 +0000

Type	Values Removed	Values Added
Description	No description is available for this CVE.	A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service.
Title	narayana: deadlock via multiple join requests sent to LRA Coordinator	Narayana: deadlock via multiple join requests sent to lra coordinator
First Time appeared		Redhat Redhat jboss Data Grid Redhat jboss Enterprise Application Platform Redhat jbosseapxp
CPEs		cpe:/a:redhat:jboss_data_grid:7 cpe:/a:redhat:jboss_enterprise_application_platform:7 cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:jbosseapxp
Vendors & Products		Redhat Redhat jboss Data Grid Redhat jboss Enterprise Application Platform Redhat jbosseapxp
References		https://access.redhat.com/security/cve/CVE-2024-8447 https://bugzilla.redhat.com/show_bug.cgi?id=2335206

Thu, 02 Jan 2025 15:00:00 +0000

Type	Values Removed	Values Added
References		https://github.com/jbosstm/narayana/pull/2293

Thu, 02 Jan 2025 02:30:00 +0000

Type	Values Removed	Values Added
Description		No description is available for this CVE.
Title		narayana: deadlock via multiple join requests sent to LRA Coordinator
Weaknesses		CWE-833
References		https://nvd.nist.gov/vuln/detail/CVE-2024-8447 https://www.cve.org/CVERecord?id=CVE-2024-8447
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Subscriptions

Redhat Jboss Data Grid Jboss Enterprise Application Platform Jbosseapxp

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-01-02T20:19:29.671Z

Updated: 2025-11-11T00:43:36.485Z

Reserved: 2024-09-05T01:54:51.271Z

Link: CVE-2024-8447

Vulnrichment

Updated: 2025-01-02T20:41:29.157Z

NVD

Status : Deferred

Published: 2025-01-02T21:15:10.303

Modified: 2026-04-15T00:35:42.020

Link: CVE-2024-8447

Redhat

Severity : Moderate

Publid Date: 2024-09-30T00:00:00Z

Links: CVE-2024-8447 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-833

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-8447", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-09-05T01:54:51.271Z", "datePublished": "2025-01-02T20:19:29.671Z", "dateUpdated": "2025-11-11T00:43:36.485Z"}, "containers": {"cna": {"title": "Narayana: deadlock via multiple join requests sent to lra coordinator", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "7.1.0.Final", "versionType": "semver"}], "packageName": "narayana", "collectionURL": "https://github.com/jbosstm/narayana/", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat JBoss EAP XP 5.0 Update 2.0", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "org.jboss.narayana-narayana-all", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "org.jboss.narayana-narayana-all", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-eap-product-conf-parent", "defaultStatus": "affected", "versions": [{"version": "0:800.6.1-1.GA_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-netty", "defaultStatus": "affected", "versions": [{"version": "0:4.1.119-1.Final_redhat_00002.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-netty-transport-native-epoll", "defaultStatus": "affected", "versions": [{"version": "0:4.1.119-1.Final_redhat_00002.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-slf4j", "defaultStatus": "affected", "versions": [{"version": "0:2.0.16-2.redhat_00003.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-wildfly", "defaultStatus": "affected", "versions": [{"version": "0:8.0.6-15.GA_redhat_00009.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-eap-product-conf-parent", "defaultStatus": "affected", "versions": [{"version": "0:800.6.1-1.GA_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-netty", "defaultStatus": "affected", "versions": [{"version": "0:4.1.119-1.Final_redhat_00002.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-netty-transport-native-epoll", "defaultStatus": "affected", "versions": [{"version": "0:4.1.119-1.Final_redhat_00002.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-slf4j", "defaultStatus": "affected", "versions": [{"version": "0:2.0.16-2.redhat_00003.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-wildfly", "defaultStatus": "affected", "versions": [{"version": "0:8.0.6-15.GA_redhat_00009.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Data Grid 7", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "org.jboss.narayana-narayana-all", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_data_grid:7"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "org.jboss.narayana-narayana-all", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "org.jboss.narayana-narayana-all", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jbosseapxp"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:3357", "name": "RHSA-2025:3357", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:3358", "name": "RHSA-2025:3358", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:7620", "name": "RHSA-2025:7620", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-8447", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2335206", "name": "RHBZ#2335206", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/jbosstm/narayana/pull/2293"}], "datePublic": "2024-09-30T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-833", "description": "Deadlock", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-833: Deadlock", "timeline": [{"lang": "en", "time": "2025-01-01T22:41:50.788Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-30T00:00:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-11-11T00:43:36.485Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-02T20:41:25.038566Z", "id": "CVE-2024-8447", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-02T20:41:33.544Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8447", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-02T20:41:25.038566Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-02T20:41:29.157Z"}}], "cna": {"title": "Narayana: deadlock via multiple join requests sent to lra coordinator", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "7.1.0.Final", "versionType": "semver"}], "packageName": "narayana", "collectionURL": "https://github.com/jbosstm/narayana/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0"], "vendor": "Red Hat", "product": "Red Hat JBoss EAP XP 5.0 Update 2.0", "packageName": "org.jboss.narayana-narayana-all", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "packageName": "org.jboss.narayana-narayana-all", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:800.6.1-1.GA_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-eap-product-conf-parent", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:4.1.119-1.Final_redhat_00002.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-netty", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:4.1.119-1.Final_redhat_00002.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-netty-transport-native-epoll", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:2.0.16-2.redhat_00003.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-slf4j", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:8.0.6-15.GA_redhat_00009.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-wildfly", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:800.6.1-1.GA_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-eap-product-conf-parent", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:4.1.119-1.Final_redhat_00002.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-netty", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:4.1.119-1.Final_redhat_00002.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-netty-transport-native-epoll", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:2.0.16-2.redhat_00003.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-slf4j", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:8.0.6-15.GA_redhat_00009.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-wildfly", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_data_grid:7"], "vendor": "Red Hat", "product": "Red Hat JBoss Data Grid 7", "packageName": "org.jboss.narayana-narayana-all", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7", "packageName": "org.jboss.narayana-narayana-all", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:jbosseapxp"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "packageName": "org.jboss.narayana-narayana-all", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2025-01-01T22:41:50.788Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-30T00:00:00.000Z", "value": "Made public."}], "datePublic": "2024-09-30T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:3357", "name": "RHSA-2025:3357", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:3358", "name": "RHSA-2025:3358", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:7620", "name": "RHSA-2025:7620", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-8447", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2335206", "name": "RHBZ#2335206", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/jbosstm/narayana/pull/2293"}], "descriptions": [{"lang": "en", "value": "A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-833", "description": "Deadlock"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-11-11T00:43:36.485Z"}, "x_redhatCweChain": "CWE-833: Deadlock"}}, "cveMetadata": {"cveId": "CVE-2024-8447", "state": "PUBLISHED", "dateUpdated": "2025-11-11T00:43:36.485Z", "dateReserved": "2024-09-05T01:54:51.271Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2025-01-02T20:19:29.671Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"affected_release": [{"advisory": "RHSA-2025:7620", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0", "package": "org.jboss.narayana-narayana-all", "product_name": "Red Hat JBoss EAP XP 5.0 Update 2.0", "release_date": "2025-05-14T00:00:00Z"}, {"advisory": "RHSA-2025:3358", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0", "package": "org.jboss.narayana-narayana-all", "product_name": "Red Hat JBoss Enterprise Application Platform 8", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-eap-product-conf-parent-0:800.6.1-1.GA_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-netty-0:4.1.119-1.Final_redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-slf4j-0:2.0.16-2.redhat_00003.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-wildfly-0:8.0.6-15.GA_redhat_00009.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-eap-product-conf-parent-0:800.6.1-1.GA_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-netty-0:4.1.119-1.Final_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-slf4j-0:2.0.16-2.redhat_00003.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-wildfly-0:8.0.6-15.GA_redhat_00009.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2025-03-27T00:00:00Z"}], "bugzilla": {"description": "narayana: deadlock via multiple join requests sent to LRA Coordinator", "id": "2335206", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2335206"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-833", "details": ["A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service.", "A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service."], "name": "CVE-2024-8447", "package_state": [{"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Affected", "package_name": "org.jboss.narayana-narayana-all", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Out of support scope", "package_name": "org.jboss.narayana-narayana-all", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "org.jboss.narayana-narayana-all", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2024-09-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-8447\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8447\nhttps://github.com/jbosstm/narayana/pull/2293"], "threat_severity": "Moderate"}