<div dir="ltr">The fix is here:<br><a href="https://github.com/undertow-io/undertow/pull/859">https://github.com/undertow-io/undertow/pull/859</a><br><div>We will be releasing Undertow 2.0.30.Final soon with that fix.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 4, 2020 at 3:59 AM Flavia Rainone &lt;<a href="mailto:frainone@redhat.com">frainone@redhat.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>We are doing something similar to what was done on Tomcat, i.e. having a configurable attribute pattern to prevent unknown patterns from being accepted.<br></div><div><br></div><div>I&#39;ll send you a link with the fix when it is available.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 4, 2020 at 2:39 AM Brad Wood &lt;<a href="mailto:bdw429s@gmail.com" target="_blank">bdw429s@gmail.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thanks for the reply Flavia.  Can you expound on what the fix will be?  I dug into the Ghostcat exploit a bit more and was sort of relieved/disappointed to see it wasn&#39;t a &quot;bug&quot; or a &quot;vulnerability&quot; so much as it was &quot;just the way AJP works&quot; and the real fix is really just to secure your AJP connections via networking/firewalls and/or configure a connection secret (something I don&#39;t think Undertow supports)<div><br clear="all"><div><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div></div><div>Thanks!</div><div><br></div><div>~Brad</div><div><br></div><div><b>Developer Advocate</b></div><div><i>Ortus Solutions, Corp </i></div><div><b><br></b></div><div>E-mail: <a href="mailto:brad@coldbox.org" target="_blank">brad@coldbox.org</a></div><div>ColdBox Platform: <a href="http://www.coldbox.org" target="_blank">http://www.coldbox.org</a> </div><div>Blog: <a href="http://www.codersrevolution.com" target="_blank">http://www.codersrevolution.com</a></div><div><br></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 3, 2020 at 11:30 PM Flavia Rainone &lt;<a href="mailto:frainone@redhat.com" target="_blank">frainone@redhat.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Hi Brad<div><br></div><div>This is usually handled internally by Red Hat to guarantee products come with a fix for the customers before the CVE is open to the public.</div><div><br></div><div>However, the vulnerability is known to the public, and a fix will be added to the next community version of Undertow 2.0.30.Final, to be released in the next few days with several other fixes.</div><div><br></div><div>Regards,</div><div>Flavia</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 2, 2020 at 3:32 PM Brad Wood &lt;<a href="mailto:bdw429s@gmail.com" target="_blank">bdw429s@gmail.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Can anyone point me at a reference that covers if Undertow&#39;s AJP listener is susceptible to the newly-released Ghostcat vulnerability.  Most information centers around Tomcat, but Redhat does have this page mentioning Undertow.<div><br></div><div><a href="https://access.redhat.com/security/cve/CVE-2020-1745" target="_blank">https://access.redhat.com/security/cve/CVE-2020-1745</a> </div><div><br></div><div>However, even the information there seems to revolve around Undertow as it&#39;s embedded in EAP 7 and not Undertow when embedded directly in an application like I use it.</div><div><br></div><div>Is Undertow proper vulnerable?  What versions?  I see a generic ticket mentioning Undertow here</div><div><br></div><div><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1807305" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1807305</a></div><div><br></div><div>but I can&#39;t find any tickets on the Undertow JIRA ticket tracker </div><div><br></div><div><a href="https://issues.redhat.com/issues/?jql=project%20%3D%20UNDERTOW%20AND%20text%20~%20ghostcat" target="_blank">https://issues.redhat.com/issues/?jql=project%20%3D%20UNDERTOW%20AND%20text%20~%20ghostcat</a>  <br></div><div><br clear="all"><div><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div></div><div>Thanks!</div><div><br></div><div>~Brad</div><div><br></div><div><b>Developer Advocate</b></div><div><i>Ortus Solutions, Corp </i></div><div><b><br></b></div><div>E-mail: <a href="mailto:brad@coldbox.org" target="_blank">brad@coldbox.org</a></div><div>ColdBox Platform: <a href="http://www.coldbox.org" target="_blank">http://www.coldbox.org</a> </div><div>Blog: <a href="http://www.codersrevolution.com" target="_blank">http://www.codersrevolution.com</a></div><div><br></div></div></div></div></div></div></div></div>
_______________________________________________<br>
undertow-dev mailing list<br>
<a href="mailto:undertow-dev@lists.jboss.org" target="_blank">undertow-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/undertow-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/undertow-dev</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>
        <p style="font-weight:bold;margin:0px;padding:0px;font-size:14px;font-family:RedHatText,sans-serif">
          <span>Flavia</span> <span>Rainone</span><span style="color:rgb(170,170,170);margin:0px"></span>
        </p>
        
        <p style="font-size:12px;margin:0px;font-family:RedHatText,sans-serif">
          <span>Principal Software Engineer</span>
        </p>
        <p style="margin:0px 0px 4px;font-size:12px;font-family:RedHatText,sans-serif">
          <a style="color:rgb(0,136,206);margin:0px" href="https://www.redhat.com" target="_blank">Red Hat </a>
        </p>
    <div style="margin-bottom:4px">
      
      
    </div>
    <p style="margin:0px;font-size:12px;font-family:RedHatText,sans-serif">
      <span style="margin:0px;padding:0px"><a style="color:rgb(0,0,0);margin:0px" href="mailto:frainone@redhat.com" target="_blank">frainone@redhat.com</a>   </span>
      
      
    </p>
    

     

    

    <div style="margin-top:12px">
      <table border="0">
        <tbody><tr>
          <td width="100px"><a href="https://www.redhat.com" target="_blank"> <img src="https://static.redhat.com/libs/redhat/brand-assets/2/corp/logo--200.png" width="90" height="auto"></a> </td>
          
        </tr>
      </tbody></table>
    </div></div></div></div></div></div></div></div></div>
</blockquote></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>
        <p style="font-weight:bold;margin:0px;padding:0px;font-size:14px;font-family:RedHatText,sans-serif">
          <span>Flavia</span> <span>Rainone</span><span style="color:rgb(170,170,170);margin:0px"></span>
        </p>
        
        <p style="font-size:12px;margin:0px;font-family:RedHatText,sans-serif">
          <span>Principal Software Engineer</span>
        </p>
        <p style="margin:0px 0px 4px;font-size:12px;font-family:RedHatText,sans-serif">
          <a style="color:rgb(0,136,206);margin:0px" href="https://www.redhat.com" target="_blank">Red Hat </a>
        </p>
    <div style="margin-bottom:4px">
      
      
    </div>
    <p style="margin:0px;font-size:12px;font-family:RedHatText,sans-serif">
      <span style="margin:0px;padding:0px"><a style="color:rgb(0,0,0);margin:0px" href="mailto:frainone@redhat.com" target="_blank">frainone@redhat.com</a>   </span>
      
      
    </p>
    

     

    

    <div style="margin-top:12px">
      <table border="0">
        <tbody><tr>
          <td width="100px"><a href="https://www.redhat.com" target="_blank"> <img src="https://static.redhat.com/libs/redhat/brand-assets/2/corp/logo--200.png" width="90" height="auto"></a> </td>
          
        </tr>
      </tbody></table>
    </div></div></div></div></div></div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>
        <p style="font-weight:bold;margin:0px;padding:0px;font-size:14px;font-family:RedHatText,sans-serif">
          <span>Flavia</span> <span>Rainone</span><span style="color:rgb(170,170,170);margin:0px"></span>
        </p>
        
        <p style="font-size:12px;margin:0px;font-family:RedHatText,sans-serif">
          <span>Principal Software Engineer</span>
        </p>
        <p style="margin:0px 0px 4px;font-size:12px;font-family:RedHatText,sans-serif">
          <a style="color:rgb(0,136,206);margin:0px" href="https://www.redhat.com" target="_blank">Red Hat </a>
        </p>
    <div style="margin-bottom:4px">
      
      
    </div>
    <p style="margin:0px;font-size:12px;font-family:RedHatText,sans-serif">
      <span style="margin:0px;padding:0px"><a style="color:rgb(0,0,0);margin:0px" href="mailto:frainone@redhat.com" target="_blank">frainone@redhat.com</a>   </span>
      
      
    </p>
    

     

    

    <div style="margin-top:12px">
      <table border="0">
        <tbody><tr>
          <td width="100px"><a href="https://www.redhat.com" target="_blank"> <img src="https://static.redhat.com/libs/redhat/brand-assets/2/corp/logo--200.png" width="90" height="auto"></a> </td>
          
        </tr>
      </tbody></table>
    </div></div></div></div></div></div></div></div>