First published: Tue Nov 24 2020(Updated: )
A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/Undertow | <2.1.5. | 2.1.5. |
redhat/Undertow | <2.0.33. | 2.0.33. |
redhat/Undertow | <2.2.3. | 2.2.3. |
redhat/eap7-activemq-artemis | <0:2.9.0-7.redhat_00017.1.el6ea | 0:2.9.0-7.redhat_00017.1.el6ea |
redhat/eap7-glassfish-jsf | <0:2.3.9-12.SP13_redhat_00001.1.el6ea | 0:2.3.9-12.SP13_redhat_00001.1.el6ea |
redhat/eap7-hal-console | <0:3.2.12-1.Final_redhat_00001.1.el6ea | 0:3.2.12-1.Final_redhat_00001.1.el6ea |
redhat/eap7-hibernate | <0:5.3.20-1.Final_redhat_00001.1.el6ea | 0:5.3.20-1.Final_redhat_00001.1.el6ea |
redhat/eap7-httpcomponents-client | <0:4.5.13-1.redhat_00001.1.el6ea | 0:4.5.13-1.redhat_00001.1.el6ea |
redhat/eap7-jboss-ejb-client | <0:4.0.37-1.Final_redhat_00001.1.el6ea | 0:4.0.37-1.Final_redhat_00001.1.el6ea |
redhat/eap7-jboss-genericjms | <0:2.0.8-1.Final_redhat_00001.1.el6ea | 0:2.0.8-1.Final_redhat_00001.1.el6ea |
redhat/eap7-jboss-modules | <0:1.11.0-1.Final_redhat_00001.1.el6ea | 0:1.11.0-1.Final_redhat_00001.1.el6ea |
redhat/eap7-jboss-remoting | <0:5.0.20-1.Final_redhat_00001.1.el6ea | 0:5.0.20-1.Final_redhat_00001.1.el6ea |
redhat/eap7-jboss-server-migration | <0:1.7.2-4.Final_redhat_00005.1.el6ea | 0:1.7.2-4.Final_redhat_00005.1.el6ea |
redhat/eap7-jboss-xnio-base | <0:3.7.12-1.Final_redhat_00001.1.el6ea | 0:3.7.12-1.Final_redhat_00001.1.el6ea |
redhat/eap7-narayana | <0:5.9.10-1.Final_redhat_00001.1.el6ea | 0:5.9.10-1.Final_redhat_00001.1.el6ea |
redhat/eap7-opentracing-interceptors | <0:0.0.4.1-2.redhat_00002.1.el6ea | 0:0.0.4.1-2.redhat_00002.1.el6ea |
redhat/eap7-resteasy | <0:3.11.3-1.Final_redhat_00001.1.el6ea | 0:3.11.3-1.Final_redhat_00001.1.el6ea |
redhat/eap7-undertow | <0:2.0.33-1.SP2_redhat_00001.1.el6ea | 0:2.0.33-1.SP2_redhat_00001.1.el6ea |
redhat/eap7-wildfly | <0:7.3.5-2.GA_redhat_00001.1.el6ea | 0:7.3.5-2.GA_redhat_00001.1.el6ea |
redhat/eap7-wildfly-discovery | <0:1.2.1-1.Final_redhat_00001.1.el6ea | 0:1.2.1-1.Final_redhat_00001.1.el6ea |
redhat/eap7-wildfly-elytron | <0:1.10.10-1.Final_redhat_00001.1.el6ea | 0:1.10.10-1.Final_redhat_00001.1.el6ea |
redhat/eap7-wildfly-http-client | <0:1.0.24-1.Final_redhat_00001.1.el6ea | 0:1.0.24-1.Final_redhat_00001.1.el6ea |
redhat/eap7-activemq-artemis | <0:2.9.0-7.redhat_00017.1.el7ea | 0:2.9.0-7.redhat_00017.1.el7ea |
redhat/eap7-glassfish-jsf | <0:2.3.9-12.SP13_redhat_00001.1.el7ea | 0:2.3.9-12.SP13_redhat_00001.1.el7ea |
redhat/eap7-hal-console | <0:3.2.12-1.Final_redhat_00001.1.el7ea | 0:3.2.12-1.Final_redhat_00001.1.el7ea |
redhat/eap7-hibernate | <0:5.3.20-1.Final_redhat_00001.1.el7ea | 0:5.3.20-1.Final_redhat_00001.1.el7ea |
redhat/eap7-httpcomponents-client | <0:4.5.13-1.redhat_00001.1.el7ea | 0:4.5.13-1.redhat_00001.1.el7ea |
redhat/eap7-jboss-ejb-client | <0:4.0.37-1.Final_redhat_00001.1.el7ea | 0:4.0.37-1.Final_redhat_00001.1.el7ea |
redhat/eap7-jboss-genericjms | <0:2.0.8-1.Final_redhat_00001.1.el7ea | 0:2.0.8-1.Final_redhat_00001.1.el7ea |
redhat/eap7-jboss-modules | <0:1.11.0-1.Final_redhat_00001.1.el7ea | 0:1.11.0-1.Final_redhat_00001.1.el7ea |
redhat/eap7-jboss-remoting | <0:5.0.20-1.Final_redhat_00001.1.el7ea | 0:5.0.20-1.Final_redhat_00001.1.el7ea |
redhat/eap7-jboss-server-migration | <0:1.7.2-4.Final_redhat_00005.1.el7ea | 0:1.7.2-4.Final_redhat_00005.1.el7ea |
redhat/eap7-jboss-xnio-base | <0:3.7.12-1.Final_redhat_00001.1.el7ea | 0:3.7.12-1.Final_redhat_00001.1.el7ea |
redhat/eap7-narayana | <0:5.9.10-1.Final_redhat_00001.1.el7ea | 0:5.9.10-1.Final_redhat_00001.1.el7ea |
redhat/eap7-opentracing-interceptors | <0:0.0.4.1-2.redhat_00002.1.el7ea | 0:0.0.4.1-2.redhat_00002.1.el7ea |
redhat/eap7-resteasy | <0:3.11.3-1.Final_redhat_00001.1.el7ea | 0:3.11.3-1.Final_redhat_00001.1.el7ea |
redhat/eap7-undertow | <0:2.0.33-1.SP2_redhat_00001.1.el7ea | 0:2.0.33-1.SP2_redhat_00001.1.el7ea |
redhat/eap7-wildfly | <0:7.3.5-2.GA_redhat_00001.1.el7ea | 0:7.3.5-2.GA_redhat_00001.1.el7ea |
redhat/eap7-wildfly-discovery | <0:1.2.1-1.Final_redhat_00001.1.el7ea | 0:1.2.1-1.Final_redhat_00001.1.el7ea |
redhat/eap7-wildfly-elytron | <0:1.10.10-1.Final_redhat_00001.1.el7ea | 0:1.10.10-1.Final_redhat_00001.1.el7ea |
redhat/eap7-wildfly-http-client | <0:1.0.24-1.Final_redhat_00001.1.el7ea | 0:1.0.24-1.Final_redhat_00001.1.el7ea |
redhat/eap7-activemq-artemis | <0:2.9.0-7.redhat_00017.1.el8ea | 0:2.9.0-7.redhat_00017.1.el8ea |
redhat/eap7-glassfish-jsf | <0:2.3.9-12.SP13_redhat_00001.1.el8ea | 0:2.3.9-12.SP13_redhat_00001.1.el8ea |
redhat/eap7-hal-console | <0:3.2.12-1.Final_redhat_00001.1.el8ea | 0:3.2.12-1.Final_redhat_00001.1.el8ea |
redhat/eap7-hibernate | <0:5.3.20-1.Final_redhat_00001.1.el8ea | 0:5.3.20-1.Final_redhat_00001.1.el8ea |
redhat/eap7-httpcomponents-client | <0:4.5.13-1.redhat_00001.1.el8ea | 0:4.5.13-1.redhat_00001.1.el8ea |
redhat/eap7-jboss-ejb-client | <0:4.0.37-1.Final_redhat_00001.1.el8ea | 0:4.0.37-1.Final_redhat_00001.1.el8ea |
redhat/eap7-jboss-genericjms | <0:2.0.8-1.Final_redhat_00001.1.el8ea | 0:2.0.8-1.Final_redhat_00001.1.el8ea |
redhat/eap7-jboss-modules | <0:1.11.0-1.Final_redhat_00001.1.el8ea | 0:1.11.0-1.Final_redhat_00001.1.el8ea |
redhat/eap7-jboss-remoting | <0:5.0.20-1.Final_redhat_00001.1.el8ea | 0:5.0.20-1.Final_redhat_00001.1.el8ea |
redhat/eap7-jboss-server-migration | <0:1.7.2-4.Final_redhat_00005.1.el8ea | 0:1.7.2-4.Final_redhat_00005.1.el8ea |
redhat/eap7-jboss-xnio-base | <0:3.7.12-1.Final_redhat_00001.1.el8ea | 0:3.7.12-1.Final_redhat_00001.1.el8ea |
redhat/eap7-narayana | <0:5.9.10-1.Final_redhat_00001.1.el8ea | 0:5.9.10-1.Final_redhat_00001.1.el8ea |
redhat/eap7-opentracing-interceptors | <0:0.0.4.1-2.redhat_00002.1.el8ea | 0:0.0.4.1-2.redhat_00002.1.el8ea |
redhat/eap7-resteasy | <0:3.11.3-1.Final_redhat_00001.1.el8ea | 0:3.11.3-1.Final_redhat_00001.1.el8ea |
redhat/eap7-undertow | <0:2.0.33-1.SP2_redhat_00001.1.el8ea | 0:2.0.33-1.SP2_redhat_00001.1.el8ea |
redhat/eap7-wildfly | <0:7.3.5-2.GA_redhat_00001.1.el8ea | 0:7.3.5-2.GA_redhat_00001.1.el8ea |
redhat/eap7-wildfly-discovery | <0:1.2.1-1.Final_redhat_00001.1.el8ea | 0:1.2.1-1.Final_redhat_00001.1.el8ea |
redhat/eap7-wildfly-elytron | <0:1.10.10-1.Final_redhat_00001.1.el8ea | 0:1.10.10-1.Final_redhat_00001.1.el8ea |
redhat/eap7-wildfly-http-client | <0:1.0.24-1.Final_redhat_00001.1.el8ea | 0:1.0.24-1.Final_redhat_00001.1.el8ea |
Redhat Jboss Fuse | =6.0.0 | |
Redhat Jboss Fuse | =7.0.0 | |
Redhat Openshift Application Runtimes | ||
Redhat Undertow | =2.0.33-sp2 | |
Redhat Undertow | =2.1.5-sp1 | |
Redhat Undertow | =2.2.3-sp1 |
The issue can be mitigated by using HTTP/1.1 instead of AJP to proxy to the back-end.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)