[undertow-dev] Undertow and Ghostcat
Flavia Rainone
frainone at redhat.com
Wed Mar 4 00:30:38 EST 2020
Hi Brad
This is usually handled internally by Red Hat to guarantee products come
with a fix for the customers before the CVE is open to the public.
However, the vulnerability is known to the public, and a fix will be added
to the next community version of Undertow 2.0.30.Final, to be released in
the next few days with several other fixes.
Regards,
Flavia
On Mon, Mar 2, 2020 at 3:32 PM Brad Wood <bdw429s at gmail.com> wrote:
> Can anyone point me at a reference that covers if Undertow's AJP listener
> is susceptible to the newly-released Ghostcat vulnerability. Most
> information centers around Tomcat, but Redhat does have this page
> mentioning Undertow.
>
> https://access.redhat.com/security/cve/CVE-2020-1745
>
> However, even the information there seems to revolve around Undertow as
> it's embedded in EAP 7 and not Undertow when embedded directly in an
> application like I use it.
>
> Is Undertow proper vulnerable? What versions? I see a generic ticket
> mentioning Undertow here
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1807305
>
> but I can't find any tickets on the Undertow JIRA ticket tracker
>
>
> https://issues.redhat.com/issues/?jql=project%20%3D%20UNDERTOW%20AND%20text%20~%20ghostcat
>
>
> Thanks!
>
> ~Brad
>
> *Developer Advocate*
> *Ortus Solutions, Corp *
>
> E-mail: brad at coldbox.org
> ColdBox Platform: http://www.coldbox.org
> Blog: http://www.codersrevolution.com
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
--
Flavia Rainone
Principal Software Engineer
Red Hat <https://www.redhat.com>
frainone at redhat.com
<https://www.redhat.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20200304/f0da9845/attachment.html
More information about the undertow-dev
mailing list