Hi Brad

This is usually handled internally by Red Hat to guarantee products come with a fix for the customers before the CVE is open to the public.

However, the vulnerability is known to the public, and a fix will be added to the next community version of Undertow 2.0.30.Final, to be released in the next few days with several other fixes.

Regards,

Flavia

On Mon, Mar 2, 2020 at 3:32 PM Brad Wood <bdw429s@gmail.com> wrote:

Can anyone point me at a reference that covers if Undertow's AJP listener is susceptible to the newly-released Ghostcat vulnerability. Most information centers around Tomcat, but Redhat does have this page mentioning Undertow.

https://access.redhat.com/security/cve/CVE-2020-1745

However, even the information there seems to revolve around Undertow as it's embedded in EAP 7 and not Undertow when embedded directly in an application like I use it.

Is Undertow proper vulnerable? What versions? I see a generic ticket mentioning Undertow here

https://bugzilla.redhat.com/show_bug.cgi?id=1807305

but I can't find any tickets on the Undertow JIRA ticket tracker

https://issues.redhat.com/issues/?jql=project%20%3D%20UNDERTOW%20AND%20text%20~%20ghostcat

Thanks!

~Brad

Developer Advocate
Ortus Solutions, Corp

E-mail: brad@coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com

_______________________________________________
undertow-dev mailing list
undertow-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev

Flavia Rainone

Principal Software Engineer

Red Hat

frainone@redhat.com