[undertow-dev] Undertow and Ghostcat

Flavia Rainone frainone at redhat.com
Wed Mar 4 01:59:11 EST 2020 

We are doing something similar to what was done on Tomcat, i.e. having a
configurable attribute pattern to prevent unknown patterns from being
accepted.

I'll send you a link with the fix when it is available.

On Wed, Mar 4, 2020 at 2:39 AM Brad Wood <bdw429s at gmail.com> wrote:

> Thanks for the reply Flavia.  Can you expound on what the fix will be?  I
> dug into the Ghostcat exploit a bit more and was sort of
> relieved/disappointed to see it wasn't a "bug" or a "vulnerability" so much
> as it was "just the way AJP works" and the real fix is really just to
> secure your AJP connections via networking/firewalls and/or configure a
> connection secret (something I don't think Undertow supports)
>
> Thanks!
>
> ~Brad
>
> *Developer Advocate*
> *Ortus Solutions, Corp *
>
> E-mail: brad at coldbox.org
> ColdBox Platform: http://www.coldbox.org
> Blog: http://www.codersrevolution.com
>
>
>
> On Tue, Mar 3, 2020 at 11:30 PM Flavia Rainone <frainone at redhat.com>
> wrote:
>
>> Hi Brad
>>
>> This is usually handled internally by Red Hat to guarantee products come
>> with a fix for the customers before the CVE is open to the public.
>>
>> However, the vulnerability is known to the public, and a fix will be
>> added to the next community version of Undertow 2.0.30.Final, to be
>> released in the next few days with several other fixes.
>>
>> Regards,
>> Flavia
>>
>> On Mon, Mar 2, 2020 at 3:32 PM Brad Wood <bdw429s at gmail.com> wrote:
>>
>>> Can anyone point me at a reference that covers if Undertow's AJP
>>> listener is susceptible to the newly-released Ghostcat vulnerability.  Most
>>> information centers around Tomcat, but Redhat does have this page
>>> mentioning Undertow.
>>>
>>> https://access.redhat.com/security/cve/CVE-2020-1745
>>>
>>> However, even the information there seems to revolve around Undertow as
>>> it's embedded in EAP 7 and not Undertow when embedded directly in an
>>> application like I use it.
>>>
>>> Is Undertow proper vulnerable?  What versions?  I see a generic ticket
>>> mentioning Undertow here
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1807305
>>>
>>> but I can't find any tickets on the Undertow JIRA ticket tracker
>>>
>>>
>>> https://issues.redhat.com/issues/?jql=project%20%3D%20UNDERTOW%20AND%20text%20~%20ghostcat
>>>
>>>
>>> Thanks!
>>>
>>> ~Brad
>>>
>>> *Developer Advocate*
>>> *Ortus Solutions, Corp *
>>>
>>> E-mail: brad at coldbox.org
>>> ColdBox Platform: http://www.coldbox.org
>>> Blog: http://www.codersrevolution.com
>>>
>>> _______________________________________________
>>> undertow-dev mailing list
>>> undertow-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>
>>
>>
>> --
>>
>> Flavia Rainone
>>
>> Principal Software Engineer
>>
>> Red Hat <https://www.redhat.com>
>>
>> frainone at redhat.com
>> <https://www.redhat.com>
>>
>

-- 

Flavia Rainone

Principal Software Engineer

Red Hat <https://www.redhat.com>

frainone at redhat.com
<https://www.redhat.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20200304/a4f86b1e/attachment.html

More information about the undertow-dev mailing list