CVE-2022-4492: SSRF
First published: Wed Dec 14 2022(Updated: )
A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/eap7-undertow | <0:2.2.23-1.SP2_redhat_00001.1.el8ea | 0:2.2.23-1.SP2_redhat_00001.1.el8ea |
| redhat/eap7-undertow-jastow | <0:2.0.14-1.Final_redhat_00001.1.el8ea | 0:2.0.14-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-undertow | <0:2.2.23-1.SP2_redhat_00001.1.el9ea | 0:2.2.23-1.SP2_redhat_00001.1.el9ea |
| redhat/eap7-undertow-jastow | <0:2.0.14-1.Final_redhat_00001.1.el9ea | 0:2.0.14-1.Final_redhat_00001.1.el9ea |
| redhat/eap7-undertow | <0:2.2.23-1.SP2_redhat_00001.1.el7ea | 0:2.2.23-1.SP2_redhat_00001.1.el7ea |
| redhat/eap7-undertow-jastow | <0:2.0.14-1.Final_redhat_00001.1.el7ea | 0:2.0.14-1.Final_redhat_00001.1.el7ea |
| redhat/rh-sso7-keycloak | <0:18.0.7-1.redhat_00001.1.el7 | 0:18.0.7-1.redhat_00001.1.el7 |
| redhat/rh-sso7-keycloak | <0:18.0.7-1.redhat_00001.1.el8 | 0:18.0.7-1.redhat_00001.1.el8 |
| redhat/rh-sso7-keycloak | <0:18.0.7-1.redhat_00001.1.el9 | 0:18.0.7-1.redhat_00001.1.el9 |
| IBM Watson Knowledge Catalog on-prem | <=4.x | |
| Redhat Build Of Quarkus | ||
| Redhat Integration Camel For Spring Boot | ||
| Redhat Integration Camel K | ||
| Redhat Integration Service Registry | ||
| Redhat Jboss Enterprise Application Platform | =7.0.0 | |
| Redhat Jboss Fuse | =7.0.0 | |
| Redhat Migration Toolkit For Applications | =6.0 | |
| Redhat Migration Toolkit For Runtimes | ||
| Redhat Single Sign-on | =7.0 | |
| Redhat Undertow | =2.7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/248558
- https://www.ibm.com/support/pages/node/7009747 (Advisory)
- https://access.redhat.com/security/cve/CVE-2022-4492
- https://bugzilla.redhat.com/show_bug.cgi?id=2153260
- https://security.netapp.com/advisory/ntap-20230324-0002/
- https://issues.redhat.com/browse/UNDERTOW-2212
- https://access.redhat.com/errata/RHSA-2023:1514
- https://access.redhat.com/errata/RHSA-2023:1513
- https://access.redhat.com/errata/RHSA-2023:1512
- https://access.redhat.com/errata/RHSA-2023:1516
- https://access.redhat.com/security/cve/cve-2022-4492
- https://access.redhat.com/errata/RHSA-2023:2100
- https://access.redhat.com/errata/RHSA-2023:2706
- https://access.redhat.com/errata/RHSA-2023:2707
- https://access.redhat.com/errata/RHSA-2023:2705
- https://access.redhat.com/errata/RHSA-2023:2713
- https://access.redhat.com/errata/RHSA-2023:2710
- https://access.redhat.com/errata/RHSA-2023:3813
- https://access.redhat.com/errata/RHSA-2023:3954
- https://access.redhat.com/errata/RHSA-2023:4627
- https://www.cve.org/CVERecord?id=CVE-2022-4492 https://nvd.nist.gov/vuln/detail/CVE-2022-4492
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-4492?
CVE-2022-4492 is a vulnerability in undertow that allows the server identity presented in HTTPS connections to not be checked by the undertow client.
What is the severity of CVE-2022-4492?
The severity of CVE-2022-4492 is high with a severity value of 7.
How does CVE-2022-4492 affect Red Hat EAP7 Undertow?
CVE-2022-4492 affects Red Hat EAP7 Undertow versions 2.2.23-1.SP2_redhat_00001.1.el8ea, 2.2.23-1.SP2_redhat_00001.1.el9ea, and 2.2.23-1.SP2_redhat_00001.1.el7ea.
How does CVE-2022-4492 affect Red Hat EAP7 Undertow Jastow?
CVE-2022-4492 affects Red Hat EAP7 Undertow Jastow versions 2.0.14-1.Final_redhat_00001.1.el8ea, 2.0.14-1.Final_redhat_00001.1.el9ea, and 2.0.14-1.Final_redhat_00001.1.el7ea.
What is the remedy for CVE-2022-4492?
The remedy for CVE-2022-4492 is to upgrade to the specified fixed versions of Red Hat EAP7 Undertow or Red Hat EAP7 Undertow Jastow.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-4492
- agent/author
- agent/references
- agent/severity
- agent/weakness
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/description
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/redhat
- canonical/redhat build of quarkus
- canonical/redhat integration camel for spring boot
- canonical/redhat integration camel k
- canonical/redhat integration service registry
- canonical/redhat jboss enterprise application platform
- version/redhat jboss enterprise application platform/7.0.0
- canonical/redhat jboss fuse
- version/redhat jboss fuse/7.0.0
- canonical/redhat migration toolkit for applications
- version/redhat migration toolkit for applications/6.0
- canonical/redhat migration toolkit for runtimes
- canonical/redhat single sign-on
- version/redhat single sign-on/7.0
- canonical/redhat undertow
- version/redhat undertow/2.7.0
- vendor/ibm
- canonical/ibm watson knowledge catalog on-prem
- version/ibm watson knowledge catalog on-prem/4.x