It was found that original patch for CVE-2017-2666 issue in undertow was incomplete and invalid characters are still allowed in the query string and path parameters.
Acknowledgments: Name: Stuart Douglas (Red Hat)
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458
Hi Do you have any further information which upstream change fixes the issue? I sthere a upstream issue reported for that? Regards, Salvatore
Setting needinfo to Bharti Kundal so that she sees it.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:0003 https://access.redhat.com/errata/RHSA-2018:0003
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2018:0002 https://access.redhat.com/errata/RHSA-2018:0002
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2018:0004 https://access.redhat.com/errata/RHSA-2018:0004
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2018:0005 https://access.redhat.com/errata/RHSA-2018:0005
(In reply to Salvatore Bonaccorso from comment #7) > Hi > > Do you have any further information which upstream change fixes the issue? I > sthere a upstream issue reported for that? > > Regards, > Salvatore Hi Salvatore, The upstream JIRA is :https://issues.jboss.org/browse/UNDERTOW-1251 .You can get more information from there. Thanks and Regards, Bharti
We tried to find more information about CVE-2017-7559 and CVE-2017-12165 but could not find any in undertow's bug tracker. For both issues you pointed us to https://issues.jboss.org/browse/UNDERTOW-1251. UNDERTOW-1251 is about CVE-2017-2666 though. What are the corresponding issues for CVE-2017-7559 and CVE-2017-12165? Thanks, Markus
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2018:1322 https://access.redhat.com/errata/RHSA-2018:1322
Chess, can you sort this out and close off that needinfo as needed? Thanks!
Since this fixed in undertow 2.0.1.Final already I am marking RHSSO 7.3.3 (latest as of today) as not affected as it ships undertow 2.0.22.Final
Marking fuse 6 as ooss as this flaw is moderate and for fuse 6, we do only important and critical flaws.