[undertow-dev] Undertow and Ghostcat

Brad Wood bdw429s at gmail.com
Tue Mar 10 18:50:13 EDT 2020


Thx for the update!

On Tue, Mar 10, 2020, 3:19 PM Flavia Rainone <frainone at redhat.com> wrote:

> The fix is here:
> https://github.com/undertow-io/undertow/pull/859
> We will be releasing Undertow 2.0.30.Final soon with that fix.
>
> On Wed, Mar 4, 2020 at 3:59 AM Flavia Rainone <frainone at redhat.com> wrote:
>
>> We are doing something similar to what was done on Tomcat, i.e. having a
>> configurable attribute pattern to prevent unknown patterns from being
>> accepted.
>>
>> I'll send you a link with the fix when it is available.
>>
>> On Wed, Mar 4, 2020 at 2:39 AM Brad Wood <bdw429s at gmail.com> wrote:
>>
>>> Thanks for the reply Flavia.  Can you expound on what the fix will be?
>>> I dug into the Ghostcat exploit a bit more and was sort of
>>> relieved/disappointed to see it wasn't a "bug" or a "vulnerability" so much
>>> as it was "just the way AJP works" and the real fix is really just to
>>> secure your AJP connections via networking/firewalls and/or configure a
>>> connection secret (something I don't think Undertow supports)
>>>
>>> Thanks!
>>>
>>> ~Brad
>>>
>>> *Developer Advocate*
>>> *Ortus Solutions, Corp *
>>>
>>> E-mail: brad at coldbox.org
>>> ColdBox Platform: http://www.coldbox.org
>>> Blog: http://www.codersrevolution.com
>>>
>>>
>>>
>>> On Tue, Mar 3, 2020 at 11:30 PM Flavia Rainone <frainone at redhat.com>
>>> wrote:
>>>
>>>> Hi Brad
>>>>
>>>> This is usually handled internally by Red Hat to guarantee products
>>>> come with a fix for the customers before the CVE is open to the public.
>>>>
>>>> However, the vulnerability is known to the public, and a fix will be
>>>> added to the next community version of Undertow 2.0.30.Final, to be
>>>> released in the next few days with several other fixes.
>>>>
>>>> Regards,
>>>> Flavia
>>>>
>>>> On Mon, Mar 2, 2020 at 3:32 PM Brad Wood <bdw429s at gmail.com> wrote:
>>>>
>>>>> Can anyone point me at a reference that covers if Undertow's AJP
>>>>> listener is susceptible to the newly-released Ghostcat vulnerability.  Most
>>>>> information centers around Tomcat, but Redhat does have this page
>>>>> mentioning Undertow.
>>>>>
>>>>> https://access.redhat.com/security/cve/CVE-2020-1745
>>>>>
>>>>> However, even the information there seems to revolve around Undertow
>>>>> as it's embedded in EAP 7 and not Undertow when embedded directly in an
>>>>> application like I use it.
>>>>>
>>>>> Is Undertow proper vulnerable?  What versions?  I see a generic ticket
>>>>> mentioning Undertow here
>>>>>
>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1807305
>>>>>
>>>>> but I can't find any tickets on the Undertow JIRA ticket tracker
>>>>>
>>>>>
>>>>> https://issues.redhat.com/issues/?jql=project%20%3D%20UNDERTOW%20AND%20text%20~%20ghostcat
>>>>>
>>>>>
>>>>> Thanks!
>>>>>
>>>>> ~Brad
>>>>>
>>>>> *Developer Advocate*
>>>>> *Ortus Solutions, Corp *
>>>>>
>>>>> E-mail: brad at coldbox.org
>>>>> ColdBox Platform: http://www.coldbox.org
>>>>> Blog: http://www.codersrevolution.com
>>>>>
>>>>> _______________________________________________
>>>>> undertow-dev mailing list
>>>>> undertow-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Flavia Rainone
>>>>
>>>> Principal Software Engineer
>>>>
>>>> Red Hat <https://www.redhat.com>
>>>>
>>>> frainone at redhat.com
>>>> <https://www.redhat.com>
>>>>
>>>
>>
>> --
>>
>> Flavia Rainone
>>
>> Principal Software Engineer
>>
>> Red Hat <https://www.redhat.com>
>>
>> frainone at redhat.com
>> <https://www.redhat.com>
>>
>
>
> --
>
> Flavia Rainone
>
> Principal Software Engineer
>
> Red Hat <https://www.redhat.com>
>
> frainone at redhat.com
> <https://www.redhat.com>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20200310/f4fb6dd0/attachment.html 


More information about the undertow-dev mailing list