undertow handles certain query string characters improperly. An attacker could use this flaw to send a malicious request and trigger server errors, resulting in denial of service.
The description is wrong, that is not a mod_cluster bug that is a general AJP problem, it affects mod_jk and mod_proxy_ajp. The work-around is easy: use HTTP/1.1 instead AJP to proxy to the back-end. I confirm the problem is for example in https://github.com/apache/httpd/blob/trunk/modules/proxy/ajp_header.c#L327 The query string is copied to AJP payload without any checks. and the same for mod_jk see https://github.com/apache/tomcat-connectors/blob/master/native/apache-2.0/mod_jk.c#L969 The checks can also be done in the AJP of tomcat/undertow to reject URL/query string that are not conforming to RFC 7230 and RFC 398. The problem needs to be reported to the ASF httpd and tomcat security lists for further investigations.
Also note that only undertow seems to create a deny of service because it doesn't return anything to httpd and close the session abruptly and that marks the node as broken. Tomcat AJP just wrongly process the illegal request so it is up to the webapp to process the query string and reject it.
Also a note from https://issues.redhat.com/browse/JBCS-1019: "Note that the AJP issue was discovered by Richard Opalka <ropalka>"
Mitigation: The issue can be mitigated by using HTTP/1.1 instead of AJP to proxy to the back-end.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2021:0250 https://access.redhat.com/errata/RHSA-2021:0250
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2021:0246 https://access.redhat.com/errata/RHSA-2021:0246
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2021:0247 https://access.redhat.com/errata/RHSA-2021:0247
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2021:0248 https://access.redhat.com/errata/RHSA-2021:0248
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27782
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.5 Via RHSA-2021:0327 https://access.redhat.com/errata/RHSA-2021:0327
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2021:0295 https://access.redhat.com/errata/RHSA-2021:0295
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:3205 https://access.redhat.com/errata/RHSA-2021:3205
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:3207 https://access.redhat.com/errata/RHSA-2021:3207
This issue has been addressed in the following products: Red Hat support for Spring Boot 2.3.10 Via RHSA-2021:3425 https://access.redhat.com/errata/RHSA-2021:3425
This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134