Re: [undertow-dev] Undertow and Ghostcat

We are doing something similar to what was done on Tomcat, i.e. having a configurable attribute pattern to prevent unknown patterns from being accepted. I'll send you a link with the fix when it is available. On Wed, Mar 4, 2020 at 2:39 AM Brad Wood <bdw429s(a)gmail.com&gt; wrote: > Thanks for the reply Flavia. Can you expound on what the fix will be? I > dug into the Ghostcat exploit a bit more and was sort of > relieved/disappointed to see it wasn't a "bug" or a "vulnerability" so much > as it was "just the way AJP works" and the real fix is really just to > secure your AJP connections via networking/firewalls and/or configure a > connection secret (something I don't think Undertow supports) > > Thanks! > > ~Brad > > *Developer Advocate* > *Ortus Solutions, Corp * > > E-mail: brad(a)coldbox.org > ColdBox Platform: http://www.coldbox.org > Blog: http://www.codersrevolution.com > > > > On Tue, Mar 3, 2020 at 11:30 PM Flavia Rainone <frainone(a)redhat.com&gt; > wrote: > >> Hi Brad >> >> This is usually handled internally by Red Hat to guarantee products come >> with a fix for the customers before the CVE is open to the public. >> >> However, the vulnerability is known to the public, and a fix will be >> added to the next community version of Undertow 2.0.30.Final, to be >> released in the next few days with several other fixes. >> >> Regards, >> Flavia >> >> On Mon, Mar 2, 2020 at 3:32 PM Brad Wood <bdw429s(a)gmail.com&gt; wrote: >> >>> Can anyone point me at a reference that covers if Undertow's AJP >>> listener is susceptible to the newly-released Ghostcat vulnerability. Most >>> information centers around Tomcat, but Redhat does have this page >>> mentioning Undertow. >>> >>> https://access.redhat.com/security/cve/CVE-2020-1745 >>> >>> However, even the information there seems to revolve around Undertow as >>> it's embedded in EAP 7 and not Undertow when embedded directly in an >>> application like I use it. >>> >>> Is Undertow proper vulnerable? What versions? I see a generic ticket >>> mentioning Undertow here >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1807305 >>> >>> but I can't find any tickets on the Undertow JIRA ticket tracker >>> >>> >>> https://issues.redhat.com/issues/?jql=project%20%3D%20UNDERTOW%20AND%20te... >>> >>> >>> Thanks! >>> >>> ~Brad >>> >>> *Developer Advocate* >>> *Ortus Solutions, Corp * >>> >>> E-mail: brad(a)coldbox.org >>> ColdBox Platform: http://www.coldbox.org >>> Blog: http://www.codersrevolution.com >>> >>> _______________________________________________ >>> undertow-dev mailing list >>> undertow-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/undertow-dev >> >> >> >> -- >> >> Flavia Rainone >> >> Principal Software Engineer >> >> Red Hat <https://www.redhat.com> >> >> frainone(a)redhat.com >> <https://www.redhat.com> >> > -- Flavia Rainone Principal Software Engineer Red Hat <https://www.redhat.com> frainone(a)redhat.com <https://www.redhat.com>