On Tue, Mar 10, 2020, 3:19 PM Flavia Rainone <frainone@redhat.com> wrote:
The fix is here:
https://github.com/undertow-io/undertow/pull/859We will be releasing Undertow 2.0.30.Final soon with that fix.On Wed, Mar 4, 2020 at 3:59 AM Flavia Rainone <frainone@redhat.com> wrote:We are doing something similar to what was done on Tomcat, i.e. having a configurable attribute pattern to prevent unknown patterns from being accepted.I'll send you a link with the fix when it is available.On Wed, Mar 4, 2020 at 2:39 AM Brad Wood <bdw429s@gmail.com> wrote:Thanks for the reply Flavia. Can you expound on what the fix will be? I dug into the Ghostcat exploit a bit more and was sort of relieved/disappointed to see it wasn't a "bug" or a "vulnerability" so much as it was "just the way AJP works" and the real fix is really just to secure your AJP connections via networking/firewalls and/or configure a connection secret (something I don't think Undertow supports)Thanks!~BradDeveloper AdvocateOrtus Solutions, CorpE-mail: brad@coldbox.orgColdBox Platform: http://www.coldbox.orgOn Tue, Mar 3, 2020 at 11:30 PM Flavia Rainone <frainone@redhat.com> wrote:Hi BradThis is usually handled internally by Red Hat to guarantee products come with a fix for the customers before the CVE is open to the public.However, the vulnerability is known to the public, and a fix will be added to the next community version of Undertow 2.0.30.Final, to be released in the next few days with several other fixes.Regards,FlaviaOn Mon, Mar 2, 2020 at 3:32 PM Brad Wood <bdw429s@gmail.com> wrote:Can anyone point me at a reference that covers if Undertow's AJP listener is susceptible to the newly-released Ghostcat vulnerability. Most information centers around Tomcat, but Redhat does have this page mentioning Undertow._______________________________________________However, even the information there seems to revolve around Undertow as it's embedded in EAP 7 and not Undertow when embedded directly in an application like I use it.Is Undertow proper vulnerable? What versions? I see a generic ticket mentioning Undertow herebut I can't find any tickets on the Undertow JIRA ticket trackerThanks!~BradDeveloper AdvocateOrtus Solutions, CorpE-mail: brad@coldbox.orgColdBox Platform: http://www.coldbox.org
undertow-dev mailing list
undertow-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev------
