Bug 1807305 (CVE-2020-1745)

Summary: CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability
Product: [Other] Security Response Reporter: Kunjan Rathod <krathod>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, cmoulliard, darran.lofthouse, dbecker, dchong, dkreling, dosoudil, drieden, etirelli, extras-orphan, ggaughan, hyoskim, ibek, ikanello, iweiss, janstey, jawilson, jbalunas, jiehuang, jjoyce, jochrist, jpallich, jperkins, jschluet, jstastny, jwon, kbasil, krathod, kverlaen, kwills, lef, lgao, lhh, lpeer, lthon, mburns, mkolesni, mmiura, mnovotny, msochure, msvehla, mszynkie, nwallace, paradhya, pdrozd, pgallagh, pjindal, pmackay, psotirop, puntogil, qguo, rfreire, rguimara, rrajasek, rruss, rsvoboda, rsynek, sclewis, scohen, scorneli, sdaley, slinaber, smaestri, sthorger, tom.jenkinson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Undertow 2.0.30.Final Doc Type: If docs needed, set a value
Doc Text:
A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-12 22:32:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1807654, 1807658, 1808147    
Bug Blocks: 1806546    

Description Kunjan Rathod 2020-02-26 04:02:50 UTC
A file read/inclusion vulnerability was found in AJP connector in Undertow. This is enabled with a default AJP configuration port of 8009. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution (RCE).

Comment 19 Doran Moppert 2020-02-28 00:05:11 UTC
Created undertow tracking bugs for this issue:

Affects: fedora-all [bug 1808147]

Comment 27 Dhananjay Arunesh 2020-03-04 09:03:46 UTC
Acknowledgments:

Name: Robert Roberson, Steve Zapantis, taktakdb4g

Comment 32 Ted Jongseok Won 2020-03-10 05:04:32 UTC
Statement:

Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251 and CVE page https://access.redhat.com/security/cve/cve-2020-1938

Comment 33 Ted Jongseok Won 2020-03-10 05:04:37 UTC
Mitigation:

Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251

Comment 34 errata-xmlrpc 2020-03-12 17:07:39 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:0812 https://access.redhat.com/errata/RHSA-2020:0812

Comment 35 errata-xmlrpc 2020-03-12 17:21:04 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:0813 https://access.redhat.com/errata/RHSA-2020:0813

Comment 36 Product Security DevOps Team 2020-03-12 22:32:08 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1745

Comment 39 errata-xmlrpc 2020-03-23 20:18:29 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign On 7.3

Via RHSA-2020:0952 https://access.redhat.com/errata/RHSA-2020:0952

Comment 40 errata-xmlrpc 2020-03-24 11:13:59 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:0961 https://access.redhat.com/errata/RHSA-2020:0961

Comment 41 errata-xmlrpc 2020-03-24 11:38:55 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2020:0962 https://access.redhat.com/errata/RHSA-2020:0962

Comment 47 errata-xmlrpc 2020-05-11 20:10:58 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2020:2058 https://access.redhat.com/errata/RHSA-2020:2058

Comment 48 errata-xmlrpc 2020-05-11 20:14:02 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2020:2059 https://access.redhat.com/errata/RHSA-2020:2059

Comment 49 errata-xmlrpc 2020-05-11 20:17:00 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:2060 https://access.redhat.com/errata/RHSA-2020:2060

Comment 50 errata-xmlrpc 2020-05-11 20:20:10 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2061 https://access.redhat.com/errata/RHSA-2020:2061

Comment 51 errata-xmlrpc 2020-05-28 16:00:03 UTC
This issue has been addressed in the following products:

  EAP-CD 19 Tech Preview

Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333

Comment 52 errata-xmlrpc 2020-06-04 13:12:01 UTC
This issue has been addressed in the following products:

  Red Hat Runtimes Spring Boot 2.1.13

Via RHSA-2020:2367 https://access.redhat.com/errata/RHSA-2020:2367

Comment 53 errata-xmlrpc 2020-06-10 19:06:05 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2020:2511 https://access.redhat.com/errata/RHSA-2020:2511

Comment 54 errata-xmlrpc 2020-06-10 19:24:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2515 https://access.redhat.com/errata/RHSA-2020:2515

Comment 55 errata-xmlrpc 2020-06-11 07:09:13 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2020:2513 https://access.redhat.com/errata/RHSA-2020:2513

Comment 56 errata-xmlrpc 2020-06-11 07:17:28 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2020:2512 https://access.redhat.com/errata/RHSA-2020:2512

Comment 58 Jonathan Christison 2020-07-14 16:22:34 UTC
Marking Red Hat Jboss Fuse 6.3.0 as having a low impact, this is because the affected component (camel-undertow) only supports HTTP & HTTPS, it does not create an AJP listener.

Comment 59 errata-xmlrpc 2020-07-23 07:04:46 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2905 https://access.redhat.com/errata/RHSA-2020:2905

Comment 60 errata-xmlrpc 2020-07-28 15:56:00 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.7.0

Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192

Comment 61 errata-xmlrpc 2020-09-17 13:08:33 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.7

Via RHSA-2020:3779 https://access.redhat.com/errata/RHSA-2020:3779