[undertow-dev] Undertow and Ghostcat

Flavia Rainone frainone at redhat.com
Tue Mar 10 16:19:30 EDT 2020


The fix is here:
https://github.com/undertow-io/undertow/pull/859
We will be releasing Undertow 2.0.30.Final soon with that fix.

On Wed, Mar 4, 2020 at 3:59 AM Flavia Rainone <frainone at redhat.com> wrote:

> We are doing something similar to what was done on Tomcat, i.e. having a
> configurable attribute pattern to prevent unknown patterns from being
> accepted.
>
> I'll send you a link with the fix when it is available.
>
> On Wed, Mar 4, 2020 at 2:39 AM Brad Wood <bdw429s at gmail.com> wrote:
>
>> Thanks for the reply Flavia.  Can you expound on what the fix will be?  I
>> dug into the Ghostcat exploit a bit more and was sort of
>> relieved/disappointed to see it wasn't a "bug" or a "vulnerability" so much
>> as it was "just the way AJP works" and the real fix is really just to
>> secure your AJP connections via networking/firewalls and/or configure a
>> connection secret (something I don't think Undertow supports)
>>
>> Thanks!
>>
>> ~Brad
>>
>> *Developer Advocate*
>> *Ortus Solutions, Corp *
>>
>> E-mail: brad at coldbox.org
>> ColdBox Platform: http://www.coldbox.org
>> Blog: http://www.codersrevolution.com
>>
>>
>>
>> On Tue, Mar 3, 2020 at 11:30 PM Flavia Rainone <frainone at redhat.com>
>> wrote:
>>
>>> Hi Brad
>>>
>>> This is usually handled internally by Red Hat to guarantee products come
>>> with a fix for the customers before the CVE is open to the public.
>>>
>>> However, the vulnerability is known to the public, and a fix will be
>>> added to the next community version of Undertow 2.0.30.Final, to be
>>> released in the next few days with several other fixes.
>>>
>>> Regards,
>>> Flavia
>>>
>>> On Mon, Mar 2, 2020 at 3:32 PM Brad Wood <bdw429s at gmail.com> wrote:
>>>
>>>> Can anyone point me at a reference that covers if Undertow's AJP
>>>> listener is susceptible to the newly-released Ghostcat vulnerability.  Most
>>>> information centers around Tomcat, but Redhat does have this page
>>>> mentioning Undertow.
>>>>
>>>> https://access.redhat.com/security/cve/CVE-2020-1745
>>>>
>>>> However, even the information there seems to revolve around Undertow as
>>>> it's embedded in EAP 7 and not Undertow when embedded directly in an
>>>> application like I use it.
>>>>
>>>> Is Undertow proper vulnerable?  What versions?  I see a generic ticket
>>>> mentioning Undertow here
>>>>
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1807305
>>>>
>>>> but I can't find any tickets on the Undertow JIRA ticket tracker
>>>>
>>>>
>>>> https://issues.redhat.com/issues/?jql=project%20%3D%20UNDERTOW%20AND%20text%20~%20ghostcat
>>>>
>>>>
>>>> Thanks!
>>>>
>>>> ~Brad
>>>>
>>>> *Developer Advocate*
>>>> *Ortus Solutions, Corp *
>>>>
>>>> E-mail: brad at coldbox.org
>>>> ColdBox Platform: http://www.coldbox.org
>>>> Blog: http://www.codersrevolution.com
>>>>
>>>> _______________________________________________
>>>> undertow-dev mailing list
>>>> undertow-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>>
>>>
>>>
>>> --
>>>
>>> Flavia Rainone
>>>
>>> Principal Software Engineer
>>>
>>> Red Hat <https://www.redhat.com>
>>>
>>> frainone at redhat.com
>>> <https://www.redhat.com>
>>>
>>
>
> --
>
> Flavia Rainone
>
> Principal Software Engineer
>
> Red Hat <https://www.redhat.com>
>
> frainone at redhat.com
> <https://www.redhat.com>
>


-- 

Flavia Rainone

Principal Software Engineer

Red Hat <https://www.redhat.com>

frainone at redhat.com
<https://www.redhat.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20200310/a2486985/attachment-0001.html 


More information about the undertow-dev mailing list