A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.
2022-08-31T16:15:09.410
2024-11-21T06:40:28.920
Modified
CVSSv3.1: 7.5 (HIGH)
Type | Vendor | Product | Version/Range | Vulnerable? |
---|---|---|---|---|
Application | redhat | openshift_application_runtimes | - | Yes |
Application | redhat | single_sign-on | 7.0 | Yes |
Application | redhat | undertow | < 2.2.17 | Yes |
Application | redhat | undertow | 2.2.17 | Yes |
Application | redhat | undertow | 2.2.17 | Yes |
Application | redhat | undertow | 2.2.17 | Yes |
Application | redhat | undertow | 2.2.19 | Yes |
Application | redhat | undertow | 2.2.19 | Yes |
Application | redhat | undertow | 2.3.0 | Yes |
Application | netapp | active_iq_unified_manager | - | Yes |
Application | netapp | active_iq_unified_manager | - | Yes |
Application | netapp | active_iq_unified_manager | - | Yes |
Application | netapp | cloud_secure_agent | - | Yes |
Application | netapp | oncommand_insight | - | Yes |
Application | netapp | oncommand_workflow_automation | - | Yes |