Correcting typos I used WildFly 33.0.1.Final in one of our application and hoping that High vulnerability in undertow-core will be rectified. But there is still High vulnerability in undertow-core-2.3.15.Final.jar (CVE-2024-7885). Is it going to be rectified sooner? Thanks, Pawan

Hi Pawan, The CVE-2024-7885 issue is not yet fixed in Undertow, although I know the Undertow community is looking into it. Once Undertow does a release with a fix for that included, we'll evaluate how to incorporate it into WildFly. Until that happens I don't know for sure, but it seems reasonable that the fix will land in WildFly 34, which we expect to release in the first half of October. Note that our understanding is CVE-2024-7885 only affects servers that have enabled the AJP listener. Best regards, Brian On Tue, Aug 27, 2024 at 8:53 PM Pawan Verma via wildfly-dev < wildfly-dev(a)lists.jboss.org&gt; wrote: -- Brian Stansberry Principal Architect, Red Hat JBoss EAP WildFly Project Lead He/Him/His

Thank you, Brian, for the info. This helps. Thanks, Pawan From: Brian Stansberry <brian.stansberry(a)redhat.com&gt; Sent: Wednesday, September 18, 2024 5:51 PM To: Pawan Verma -X (pawverma - INFOSYS LIMITED at Cisco) <pawverma(a)cisco.com&gt; Cc: wildfly-dev(a)lists.jboss.org Subject: Re: [wildfly-dev] Re: Vulnerabilities in wildfly version 32.0.1.Final Hi Pawan, The fix for CVE-2024-7885 is included in the 33.0.2.Final release we did yesterday: https://www.wildfly.org/news/2024/09/17/WildFly3302-Released/ Best regards, Brian On Thu, Aug 29, 2024 at 11:19 AM Brian Stansberry <brian.stansberry@redhat.com<mailto:brian.stansberry@redhat.com>> wrote: Hi Pawan, The CVE-2024-7885 issue is not yet fixed in Undertow, although I know the Undertow community is looking into it. Once Undertow does a release with a fix for that included, we'll evaluate how to incorporate it into WildFly. Until that happens I don't know for sure, but it seems reasonable that the fix will land in WildFly 34, which we expect to release in the first half of October. Note that our understanding is CVE-2024-7885 only affects servers that have enabled the AJP listener. Best regards, Brian On Tue, Aug 27, 2024 at 8:53 PM Pawan Verma via wildfly-dev <wildfly-dev@lists.jboss.org<mailto:wildfly-dev@lists.jboss.org>> wrote: I think there were 4 vulnerabilities in total for undertow-core-2.3.13.Final.jar (in WildFly 32) CVE-2024-6162 CVE-2024-7885 CVE-2024-5971 CVE-2024-3653 Out of these, 3 are rectified in WildFly 33. But still CVE-2024-7885 is there. _______________________________________________ wildfly-dev mailing list -- wildfly-dev@lists.jboss.org<mailto:wildfly-dev@lists.jboss.org> To unsubscribe send an email to wildfly-dev-leave@lists.jboss.org<mailto:wildfly-dev-leave@lists.jboss.org> Privacy Statement: https://www.redhat.com/en/about/privacy-policy List Archives: https://lists.jboss.org/archives/list/wildfly-dev@lists.jboss.org/message... -- Brian Stansberry Principal Architect, Red Hat JBoss EAP WildFly Project Lead He/Him/His -- Brian Stansberry Principal Architect, Red Hat JBoss EAP WildFly Project Lead He/Him/His