UndertowInputStream.close() blocks waiting to read -1 https://issues.redhat.com/browse/UNDERTOW-2048
@pjindal I see that this CVE is valid fro Undertow 2.x. I wonder whether it is also reproducible on quarkus-http which was developed on top of Undertow 2.x? Note that there is io.undertow.httpcore.UndertowInputStream class in quarkus-http.
In reply to comment #4: > @pjindal I see that this CVE is valid fro Undertow 2.x. I wonder > whether it is also reproducible on quarkus-http which was developed on top > of Undertow 2.x? > Note that there is io.undertow.httpcore.UndertowInputStream class in > quarkus-http. Peter, I have added you in https://issues.redhat.com/browse/UNDERTOW-2048, there is a comment on this jira on details about reproducing this issue. Also since quarkus-http is based on Undertow 2.x means quarkus ships the affected code and hence it should be marked as affected. I am still not sure if this can be reproduced in quarkus as it is not easy to reproduce. Since this is already a Low impact CVE, I am marking quarkus as affected for this CVE so that we can fix the affected undertow code in quarkus 2.x.
Is there a simple mitigation for this? As far as I am aware, I don't use EJB invocations. Is there a setting to disable them, or are they not even configured by default?
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2022:8792 https://access.redhat.com/errata/RHSA-2022:8792
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2022:8790 https://access.redhat.com/errata/RHSA-2022:8790
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2022:8791 https://access.redhat.com/errata/RHSA-2022:8791
This issue has been addressed in the following products: EAP 7.4.8 release Via RHSA-2022:8793 https://access.redhat.com/errata/RHSA-2022:8793
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-2764
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049