Can anyone point me at a reference that covers if Undertow's AJP listener is susceptible to the newly-released Ghostcat vulnerability. Most information centers around Tomcat, but Redhat does have this page mentioning Undertow.

https://access.redhat.com/security/cve/CVE-2020-1745

However, even the information there seems to revolve around Undertow as it's embedded in EAP 7 and not Undertow when embedded directly in an application like I use it.

Is Undertow proper vulnerable? What versions? I see a generic ticket mentioning Undertow here

https://bugzilla.redhat.com/show_bug.cgi?id=1807305

but I can't find any tickets on the Undertow JIRA ticket tracker

https://issues.redhat.com/issues/?jql=project%20%3D%20UNDERTOW%20AND%20text%20~%20ghostcat

Thanks!

~Brad

Developer Advocate

Ortus Solutions, Corp

E-mail: brad@coldbox.org

ColdBox Platform: http://www.coldbox.org

Blog: http://www.codersrevolution.com