Thanks for the reply Flavia.  Can you expound on what the fix will be?  I dug into the Ghostcat exploit a bit more and was sort of relieved/disappointed to see it wasn't a "bug" or a "vulnerability" so much as it was "just the way AJP works" and the real fix is really just to secure your AJP connections via networking/firewalls and/or configure a connection secret (something I don't think Undertow supports)

Thanks!

~Brad

Developer Advocate
Ortus Solutions, Corp 

ColdBox Platform: http://www.coldbox.org 



On Tue, Mar 3, 2020 at 11:30 PM Flavia Rainone <frainone@redhat.com> wrote:
Hi Brad

This is usually handled internally by Red Hat to guarantee products come with a fix for the customers before the CVE is open to the public.

However, the vulnerability is known to the public, and a fix will be added to the next community version of Undertow 2.0.30.Final, to be released in the next few days with several other fixes.

Regards,
Flavia

On Mon, Mar 2, 2020 at 3:32 PM Brad Wood <bdw429s@gmail.com> wrote:
Can anyone point me at a reference that covers if Undertow's AJP listener is susceptible to the newly-released Ghostcat vulnerability.  Most information centers around Tomcat, but Redhat does have this page mentioning Undertow.


However, even the information there seems to revolve around Undertow as it's embedded in EAP 7 and not Undertow when embedded directly in an application like I use it.

Is Undertow proper vulnerable?  What versions?  I see a generic ticket mentioning Undertow here


but I can't find any tickets on the Undertow JIRA ticket tracker 


Thanks!

~Brad

Developer Advocate
Ortus Solutions, Corp 

ColdBox Platform: http://www.coldbox.org 

_______________________________________________
undertow-dev mailing list
undertow-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev


--

Flavia Rainone

Principal Software Engineer

Red Hat

frainone@redhat.com