UndertowInputStream.close() blocks waiting to read -1
@pjindal I see that this CVE is valid fro Undertow 2.x. I wonder whether it is also reproducible on quarkus-http which was developed on top of Undertow 2.x?
Note that there is io.undertow.httpcore.UndertowInputStream class in quarkus-http.
In reply to comment #4:
> @pjindal I see that this CVE is valid fro Undertow 2.x. I wonder
> whether it is also reproducible on quarkus-http which was developed on top
> of Undertow 2.x?
> Note that there is io.undertow.httpcore.UndertowInputStream class in
Peter, I have added you in https://issues.redhat.com/browse/UNDERTOW-2048, there is a comment on this jira on details about reproducing this issue. Also since quarkus-http is based on Undertow 2.x means quarkus ships the affected code and hence it should be marked as affected. I am still not sure if this can be reproduced in quarkus as it is not easy to reproduce.
Since this is already a Low impact CVE, I am marking quarkus as affected for this CVE so that we can fix the affected undertow code in quarkus 2.x.
Is there a simple mitigation for this?
As far as I am aware, I don't use EJB invocations. Is there a setting to disable them, or are they not even configured by default?