Re: [undertow-dev] Undertow and Ghostcat
Hi Brad
This is usually handled internally by Red Hat to guarantee products come
with a fix for the customers before the CVE is open to the public.
However, the vulnerability is known to the public, and a fix will be added
to the next community version of Undertow 2.0.30.Final, to be released in
the next few days with several other fixes.
Regards,
Flavia
On Mon, Mar 2, 2020 at 3:32 PM Brad Wood <bdw429s(a)gmail.com> wrote:
Can anyone point me at a reference that covers if Undertow's AJP
listener
is susceptible to the newly-released Ghostcat vulnerability. Most
information centers around Tomcat, but Redhat does have this page
mentioning Undertow.
https://access.redhat.com/security/cve/CVE-2020-1745
However, even the information there seems to revolve around Undertow as
it's embedded in EAP 7 and not Undertow when embedded directly in an
application like I use it.
Is Undertow proper vulnerable? What versions? I see a generic ticket
mentioning Undertow here
https://bugzilla.redhat.com/show_bug.cgi?id=1807305
but I can't find any tickets on the Undertow JIRA ticket tracker
https://issues.redhat.com/issues/?jql=project%20%3D%20UNDERTOW%20AND%20te...
Thanks!
~Brad
*Developer Advocate*
*Ortus Solutions, Corp *
E-mail: brad(a)coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev
--
Flavia Rainone
Principal Software Engineer
Red Hat <https://www.redhat.com>
frainone(a)redhat.com
<https://www.redhat.com>
Attachments:
- attachment.html (text/html — 4.4 KB)