<div dir="auto">Thx for the update!</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 10, 2020, 3:19 PM Flavia Rainone <<a href="mailto:frainone@redhat.com">frainone@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">The fix is here:<br><a href="https://github.com/undertow-io/undertow/pull/859" target="_blank" rel="noreferrer">https://github.com/undertow-io/undertow/pull/859</a><br><div>We will be releasing Undertow 2.0.30.Final soon with that fix.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 4, 2020 at 3:59 AM Flavia Rainone <<a href="mailto:frainone@redhat.com" target="_blank" rel="noreferrer">frainone@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>We are doing something similar to what was done on Tomcat, i.e. having a configurable attribute pattern to prevent unknown patterns from being accepted.<br></div><div><br></div><div>I'll send you a link with the fix when it is available.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 4, 2020 at 2:39 AM Brad Wood <<a href="mailto:bdw429s@gmail.com" target="_blank" rel="noreferrer">bdw429s@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thanks for the reply Flavia. Can you expound on what the fix will be? I dug into the Ghostcat exploit a bit more and was sort of relieved/disappointed to see it wasn't a "bug" or a "vulnerability" so much as it was "just the way AJP works" and the real fix is really just to secure your AJP connections via networking/firewalls and/or configure a connection secret (something I don't think Undertow supports)<div><br clear="all"><div><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div></div><div>Thanks!</div><div><br></div><div>~Brad</div><div><br></div><div><b>Developer Advocate</b></div><div><i>Ortus Solutions, Corp </i></div><div><b><br></b></div><div>E-mail: <a href="mailto:brad@coldbox.org" target="_blank" rel="noreferrer">brad@coldbox.org</a></div><div>ColdBox Platform: <a href="http://www.coldbox.org" target="_blank" rel="noreferrer">http://www.coldbox.org</a> </div><div>Blog: <a href="http://www.codersrevolution.com" target="_blank" rel="noreferrer">http://www.codersrevolution.com</a></div><div><br></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 3, 2020 at 11:30 PM Flavia Rainone <<a href="mailto:frainone@redhat.com" target="_blank" rel="noreferrer">frainone@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Hi Brad<div><br></div><div>This is usually handled internally by Red Hat to guarantee products come with a fix for the customers before the CVE is open to the public.</div><div><br></div><div>However, the vulnerability is known to the public, and a fix will be added to the next community version of Undertow 2.0.30.Final, to be released in the next few days with several other fixes.</div><div><br></div><div>Regards,</div><div>Flavia</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 2, 2020 at 3:32 PM Brad Wood <<a href="mailto:bdw429s@gmail.com" target="_blank" rel="noreferrer">bdw429s@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Can anyone point me at a reference that covers if Undertow's AJP listener is susceptible to the newly-released Ghostcat vulnerability. Most information centers around Tomcat, but Redhat does have this page mentioning Undertow.<div><br></div><div><a href="https://access.redhat.com/security/cve/CVE-2020-1745" target="_blank" rel="noreferrer">https://access.redhat.com/security/cve/CVE-2020-1745</a> </div><div><br></div><div>However, even the information there seems to revolve around Undertow as it's embedded in EAP 7 and not Undertow when embedded directly in an application like I use it.</div><div><br></div><div>Is Undertow proper vulnerable? What versions? I see a generic ticket mentioning Undertow here</div><div><br></div><div><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1807305" target="_blank" rel="noreferrer">https://bugzilla.redhat.com/show_bug.cgi?id=1807305</a></div><div><br></div><div>but I can't find any tickets on the Undertow JIRA ticket tracker </div><div><br></div><div><a href="https://issues.redhat.com/issues/?jql=project%20%3D%20UNDERTOW%20AND%20text%20~%20ghostcat" target="_blank" rel="noreferrer">https://issues.redhat.com/issues/?jql=project%20%3D%20UNDERTOW%20AND%20text%20~%20ghostcat</a> <br></div><div><br clear="all"><div><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div></div><div>Thanks!</div><div><br></div><div>~Brad</div><div><br></div><div><b>Developer Advocate</b></div><div><i>Ortus Solutions, Corp </i></div><div><b><br></b></div><div>E-mail: <a href="mailto:brad@coldbox.org" target="_blank" rel="noreferrer">brad@coldbox.org</a></div><div>ColdBox Platform: <a href="http://www.coldbox.org" target="_blank" rel="noreferrer">http://www.coldbox.org</a> </div><div>Blog: <a href="http://www.codersrevolution.com" target="_blank" rel="noreferrer">http://www.codersrevolution.com</a></div><div><br></div></div></div></div></div></div></div></div>
_______________________________________________<br>
undertow-dev mailing list<br>
<a href="mailto:undertow-dev@lists.jboss.org" target="_blank" rel="noreferrer">undertow-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/undertow-dev" rel="noreferrer noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/undertow-dev</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>
<p style="font-weight:bold;margin:0px;padding:0px;font-size:14px;font-family:RedHatText,sans-serif">
<span>Flavia</span> <span>Rainone</span><span style="color:rgb(170,170,170);margin:0px"></span>
</p>
<p style="font-size:12px;margin:0px;font-family:RedHatText,sans-serif">
<span>Principal Software Engineer</span>
</p>
<p style="margin:0px 0px 4px;font-size:12px;font-family:RedHatText,sans-serif">
<a style="color:rgb(0,136,206);margin:0px" href="https://www.redhat.com" target="_blank" rel="noreferrer">Red Hat </a>
</p>
<div style="margin-bottom:4px">
</div>
<p style="margin:0px;font-size:12px;font-family:RedHatText,sans-serif">
<span style="margin:0px;padding:0px"><a style="color:rgb(0,0,0);margin:0px" href="mailto:frainone@redhat.com" target="_blank" rel="noreferrer">frainone@redhat.com</a> </span>
</p>
<div style="margin-top:12px">
<table border="0">
<tbody><tr>
<td width="100px"><a href="https://www.redhat.com" target="_blank" rel="noreferrer"> <img src="https://static.redhat.com/libs/redhat/brand-assets/2/corp/logo--200.png" width="90" height="auto"></a> </td>
</tr>
</tbody></table>
</div></div></div></div></div></div></div></div></div>
</blockquote></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>
<p style="font-weight:bold;margin:0px;padding:0px;font-size:14px;font-family:RedHatText,sans-serif">
<span>Flavia</span> <span>Rainone</span><span style="color:rgb(170,170,170);margin:0px"></span>
</p>
<p style="font-size:12px;margin:0px;font-family:RedHatText,sans-serif">
<span>Principal Software Engineer</span>
</p>
<p style="margin:0px 0px 4px;font-size:12px;font-family:RedHatText,sans-serif">
<a style="color:rgb(0,136,206);margin:0px" href="https://www.redhat.com" target="_blank" rel="noreferrer">Red Hat </a>
</p>
<div style="margin-bottom:4px">
</div>
<p style="margin:0px;font-size:12px;font-family:RedHatText,sans-serif">
<span style="margin:0px;padding:0px"><a style="color:rgb(0,0,0);margin:0px" href="mailto:frainone@redhat.com" target="_blank" rel="noreferrer">frainone@redhat.com</a> </span>
</p>
<div style="margin-top:12px">
<table border="0">
<tbody><tr>
<td width="100px"><a href="https://www.redhat.com" target="_blank" rel="noreferrer"> <img src="https://static.redhat.com/libs/redhat/brand-assets/2/corp/logo--200.png" width="90" height="auto"></a> </td>
</tr>
</tbody></table>
</div></div></div></div></div></div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>
<p style="font-weight:bold;margin:0px;padding:0px;font-size:14px;font-family:RedHatText,sans-serif">
<span>Flavia</span> <span>Rainone</span><span style="color:rgb(170,170,170);margin:0px"></span>
</p>
<p style="font-size:12px;margin:0px;font-family:RedHatText,sans-serif">
<span>Principal Software Engineer</span>
</p>
<p style="margin:0px 0px 4px;font-size:12px;font-family:RedHatText,sans-serif">
<a style="color:rgb(0,136,206);margin:0px" href="https://www.redhat.com" target="_blank" rel="noreferrer">Red Hat </a>
</p>
<div style="margin-bottom:4px">
</div>
<p style="margin:0px;font-size:12px;font-family:RedHatText,sans-serif">
<span style="margin:0px;padding:0px"><a style="color:rgb(0,0,0);margin:0px" href="mailto:frainone@redhat.com" target="_blank" rel="noreferrer">frainone@redhat.com</a> </span>
</p>
<div style="margin-top:12px">
<table border="0">
<tbody><tr>
<td width="100px"><a href="https://www.redhat.com" target="_blank" rel="noreferrer"> <img src="https://static.redhat.com/libs/redhat/brand-assets/2/corp/logo--200.png" width="90" height="auto"></a> </td>
</tr>
</tbody></table>
</div></div></div></div></div></div></div></div>
</blockquote></div>