Hi Pawan,

The fix for CVE-2024-7885 is included in the 33.0.2.Final release we did yesterday: 

https://www.wildfly.org/news/2024/09/17/WildFly3302-Released/

Best regards,
Brian

On Thu, Aug 29, 2024 at 11:19 AM Brian Stansberry <brian.stansberry@redhat.com> wrote:
Hi Pawan,

The CVE-2024-7885 issue is not yet fixed in Undertow, although I know the Undertow community is looking into it. Once Undertow does a release with a fix for that included, we'll evaluate how to incorporate it into WildFly. Until that happens I don't know for sure, but it seems reasonable that the fix will land in WildFly 34, which we expect to release in the first half of October.

Note that our understanding is CVE-2024-7885 only affects servers that have enabled the AJP listener.

Best regards,
Brian

On Tue, Aug 27, 2024 at 8:53 PM Pawan Verma via wildfly-dev <wildfly-dev@lists.jboss.org> wrote:
I think there were 4 vulnerabilities in total for undertow-core-2.3.13.Final.jar (in WildFly 32)
CVE-2024-6162
CVE-2024-7885
CVE-2024-5971
CVE-2024-3653

Out of these, 3 are rectified in WildFly 33. But still CVE-2024-7885 is there.
_______________________________________________
wildfly-dev mailing list -- wildfly-dev@lists.jboss.org
To unsubscribe send an email to wildfly-dev-leave@lists.jboss.org
Privacy Statement: https://www.redhat.com/en/about/privacy-policy
List Archives: https://lists.jboss.org/archives/list/wildfly-dev@lists.jboss.org/message/RNQLS2UJKJBJ7QA7MCLAUY5W3IBYK7KP/


--
Brian Stansberry
Principal Architect, Red Hat JBoss EAP
WildFly Project Lead
He/Him/His


--
Brian Stansberry
Principal Architect, Red Hat JBoss EAP
WildFly Project Lead
He/Him/His