[undertow-dev] Undertow and Ghostcat

Brad Wood bdw429s at gmail.com
Wed Mar 4 00:39:39 EST 2020 

Thanks for the reply Flavia.  Can you expound on what the fix will be?  I
dug into the Ghostcat exploit a bit more and was sort of
relieved/disappointed to see it wasn't a "bug" or a "vulnerability" so much
as it was "just the way AJP works" and the real fix is really just to
secure your AJP connections via networking/firewalls and/or configure a
connection secret (something I don't think Undertow supports)

Thanks!

~Brad

*Developer Advocate*
*Ortus Solutions, Corp *

E-mail: brad at coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com



On Tue, Mar 3, 2020 at 11:30 PM Flavia Rainone <frainone at redhat.com> wrote:

> Hi Brad
>
> This is usually handled internally by Red Hat to guarantee products come
> with a fix for the customers before the CVE is open to the public.
>
> However, the vulnerability is known to the public, and a fix will be added
> to the next community version of Undertow 2.0.30.Final, to be released in
> the next few days with several other fixes.
>
> Regards,
> Flavia
>
> On Mon, Mar 2, 2020 at 3:32 PM Brad Wood <bdw429s at gmail.com> wrote:
>
>> Can anyone point me at a reference that covers if Undertow's AJP listener
>> is susceptible to the newly-released Ghostcat vulnerability.  Most
>> information centers around Tomcat, but Redhat does have this page
>> mentioning Undertow.
>>
>> https://access.redhat.com/security/cve/CVE-2020-1745
>>
>> However, even the information there seems to revolve around Undertow as
>> it's embedded in EAP 7 and not Undertow when embedded directly in an
>> application like I use it.
>>
>> Is Undertow proper vulnerable?  What versions?  I see a generic ticket
>> mentioning Undertow here
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1807305
>>
>> but I can't find any tickets on the Undertow JIRA ticket tracker
>>
>>
>> https://issues.redhat.com/issues/?jql=project%20%3D%20UNDERTOW%20AND%20text%20~%20ghostcat
>>
>>
>> Thanks!
>>
>> ~Brad
>>
>> *Developer Advocate*
>> *Ortus Solutions, Corp *
>>
>> E-mail: brad at coldbox.org
>> ColdBox Platform: http://www.coldbox.org
>> Blog: http://www.codersrevolution.com
>>
>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
>
>
> --
>
> Flavia Rainone
>
> Principal Software Engineer
>
> Red Hat <https://www.redhat.com>
>
> frainone at redhat.com
> <https://www.redhat.com>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20200303/2dd66f63/attachment-0001.html

More information about the undertow-dev mailing list