In some circumstances Undertow can serve data from a random ByteBuffer, this is due to an incomplete fix for UNDERTOW-438. Basically if all the headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests. Upstream bug: https://issues.jboss.org/browse/JBEAP-15428 Upstream patch: https://github.com/jbossas/redhat-undertow/commit/e65ad5b410f95b166ff04f876e22f873e9b4ce62
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2019:0362 https://access.redhat.com/errata/RHSA-2019:0362
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2019:0364 https://access.redhat.com/errata/RHSA-2019:0364
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2019:0365 https://access.redhat.com/errata/RHSA-2019:0365
This issue has been addressed in the following products: Red Hat Single Sign-On 7.2.6 zip Via RHSA-2019:0380 https://access.redhat.com/errata/RHSA-2019:0380
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2019:1106 https://access.redhat.com/errata/RHSA-2019:1106
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2019:1107 https://access.redhat.com/errata/RHSA-2019:1107
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2019:1108 https://access.redhat.com/errata/RHSA-2019:1108
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3.1 zip Via RHSA-2019:1140 https://access.redhat.com/errata/RHSA-2019:1140
This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-14642
RH Single Sign-On has been fixed since 7.3.2 which included undertow-core-2.0.19.Final-redhat-00001.jar
Marked JDG as not affected as it already includes fixed version undertow-core i.e. : JDG7.3.2/modules/system/layers/base/.overlays/layer-base-jboss-jdg-7.3.2.CP/io/undertow/core/main/undertow-core-2.0.19.Final-redhat-00001.jar
Marked Fuse as not affected as undertow versions defined in poms is 2.0.20.Final-redhat-00001