[wildfly-dev] Re: Vulnerabilities in wildfly version 32.0.1.Final

Hi Pawan, The CVE-2024-7885 issue is not yet fixed in Undertow, although I know the Undertow community is looking into it. Once Undertow does a release with a fix for that included, we'll evaluate how to incorporate it into WildFly. Until that happens I don't know for sure, but it seems reasonable that the fix will land in WildFly 34, which we expect to release in the first half of October. Note that our understanding is CVE-2024-7885 only affects servers that have enabled the AJP listener. Best regards, Brian On Tue, Aug 27, 2024 at 8:53 PM Pawan Verma via wildfly-dev < wildfly-dev(a)lists.jboss.org&gt; wrote: > I think there were 4 vulnerabilities in total for > undertow-core-2.3.13.Final.jar (in WildFly 32) > CVE-2024-6162 > CVE-2024-7885 > CVE-2024-5971 > CVE-2024-3653 > > Out of these, 3 are rectified in WildFly 33. But still CVE-2024-7885 is > there. > _______________________________________________ > wildfly-dev mailing list -- wildfly-dev(a)lists.jboss.org > To unsubscribe send an email to wildfly-dev-leave(a)lists.jboss.org > Privacy Statement: https://www.redhat.com/en/about/privacy-policy > List Archives: > https://lists.jboss.org/archives/list/wildfly-dev@lists.jboss.org/message... > -- Brian Stansberry Principal Architect, Red Hat JBoss EAP WildFly Project Lead He/Him/His