Re: [undertow-dev] Undertow and Ghostcat

Hi Brad This is usually handled internally by Red Hat to guarantee products come with a fix for the customers before the CVE is open to the public. However, the vulnerability is known to the public, and a fix will be added to the next community version of Undertow 2.0.30.Final, to be released in the next few days with several other fixes. Regards, Flavia On Mon, Mar 2, 2020 at 3:32 PM Brad Wood <bdw429s(a)gmail.com&gt; wrote: > Can anyone point me at a reference that covers if Undertow's AJP listener > is susceptible to the newly-released Ghostcat vulnerability. Most > information centers around Tomcat, but Redhat does have this page > mentioning Undertow. > > https://access.redhat.com/security/cve/CVE-2020-1745 > > However, even the information there seems to revolve around Undertow as > it's embedded in EAP 7 and not Undertow when embedded directly in an > application like I use it. > > Is Undertow proper vulnerable? What versions? I see a generic ticket > mentioning Undertow here > > https://bugzilla.redhat.com/show_bug.cgi?id=1807305 > > but I can't find any tickets on the Undertow JIRA ticket tracker > > > https://issues.redhat.com/issues/?jql=project%20%3D%20UNDERTOW%20AND%20te... > > > Thanks! > > ~Brad > > *Developer Advocate* > *Ortus Solutions, Corp * > > E-mail: brad(a)coldbox.org > ColdBox Platform: http://www.coldbox.org > Blog: http://www.codersrevolution.com > > _______________________________________________ > undertow-dev mailing list > undertow-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev -- Flavia Rainone Principal Software Engineer Red Hat <https://www.redhat.com> frainone(a)redhat.com <https://www.redhat.com>