First published: Wed Dec 14 2022(Updated: )
A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/eap7-undertow | <0:2.2.23-1.SP2_redhat_00001.1.el8ea | 0:2.2.23-1.SP2_redhat_00001.1.el8ea |
redhat/eap7-undertow-jastow | <0:2.0.14-1.Final_redhat_00001.1.el8ea | 0:2.0.14-1.Final_redhat_00001.1.el8ea |
redhat/eap7-undertow | <0:2.2.23-1.SP2_redhat_00001.1.el9ea | 0:2.2.23-1.SP2_redhat_00001.1.el9ea |
redhat/eap7-undertow-jastow | <0:2.0.14-1.Final_redhat_00001.1.el9ea | 0:2.0.14-1.Final_redhat_00001.1.el9ea |
redhat/eap7-undertow | <0:2.2.23-1.SP2_redhat_00001.1.el7ea | 0:2.2.23-1.SP2_redhat_00001.1.el7ea |
redhat/eap7-undertow-jastow | <0:2.0.14-1.Final_redhat_00001.1.el7ea | 0:2.0.14-1.Final_redhat_00001.1.el7ea |
redhat/rh-sso7-keycloak | <0:18.0.7-1.redhat_00001.1.el7 | 0:18.0.7-1.redhat_00001.1.el7 |
redhat/rh-sso7-keycloak | <0:18.0.7-1.redhat_00001.1.el8 | 0:18.0.7-1.redhat_00001.1.el8 |
redhat/rh-sso7-keycloak | <0:18.0.7-1.redhat_00001.1.el9 | 0:18.0.7-1.redhat_00001.1.el9 |
IBM Watson Knowledge Catalog on-prem | <=4.x | |
Redhat Build Of Quarkus | ||
Redhat Integration Camel For Spring Boot | ||
Redhat Integration Camel K | ||
Redhat Integration Service Registry | ||
Redhat Jboss Enterprise Application Platform | =7.0.0 | |
Redhat Jboss Fuse | =7.0.0 | |
Redhat Migration Toolkit For Applications | =6.0 | |
Redhat Migration Toolkit For Runtimes | ||
Redhat Single Sign-on | =7.0 | |
Redhat Undertow | =2.7.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-4492 is a vulnerability in undertow that allows the server identity presented in HTTPS connections to not be checked by the undertow client.
The severity of CVE-2022-4492 is high with a severity value of 7.
CVE-2022-4492 affects Red Hat EAP7 Undertow versions 2.2.23-1.SP2_redhat_00001.1.el8ea, 2.2.23-1.SP2_redhat_00001.1.el9ea, and 2.2.23-1.SP2_redhat_00001.1.el7ea.
CVE-2022-4492 affects Red Hat EAP7 Undertow Jastow versions 2.0.14-1.Final_redhat_00001.1.el8ea, 2.0.14-1.Final_redhat_00001.1.el9ea, and 2.0.14-1.Final_redhat_00001.1.el7ea.
The remedy for CVE-2022-4492 is to upgrade to the specified fixed versions of Red Hat EAP7 Undertow or Red Hat EAP7 Undertow Jastow.