[wildfly-dev] Re: Vulnerabilities in wildfly version 32.0.1.Final
Hi Pawan,
The CVE-2024-7885 issue is not yet fixed in Undertow, although I know the
Undertow community is looking into it. Once Undertow does a release with a
fix for that included, we'll evaluate how to incorporate it into WildFly.
Until that happens I don't know for sure, but it seems reasonable that the
fix will land in WildFly 34, which we expect to release in the first half
of October.
Note that our understanding is CVE-2024-7885 only affects servers that have
enabled the AJP listener.
Best regards,
Brian
On Tue, Aug 27, 2024 at 8:53 PM Pawan Verma via wildfly-dev <
wildfly-dev(a)lists.jboss.org> wrote:
I think there were 4 vulnerabilities in total for
undertow-core-2.3.13.Final.jar (in WildFly 32)
CVE-2024-6162
CVE-2024-7885
CVE-2024-5971
CVE-2024-3653
Out of these, 3 are rectified in WildFly 33. But still CVE-2024-7885 is
there.
_______________________________________________
wildfly-dev mailing list -- wildfly-dev(a)lists.jboss.org
To unsubscribe send an email to wildfly-dev-leave(a)lists.jboss.org
Privacy Statement: https://www.redhat.com/en/about/privacy-policy
List Archives:
https://lists.jboss.org/archives/list/wildfly-dev@lists.jboss.org/message...
--
Brian Stansberry
Principal Architect, Red Hat JBoss EAP
WildFly Project Lead
He/Him/His
Attachments:
- attachment.html (text/html — 2.3 KB)