CVE-2023-1108 DoS on undertow-core

[Shwetabh Srijan]

Hi Team,

Currently, we using the Wildfly-24 application server with the default undertow-core as 2.2.8.

Due to the exploitation of CVE-2023-1108, we wanted to upgrade undertow to the patched version 2.3.5/2.3.10 which has the fix.

Upgrading the overall Wildfly Application Server to a higher version [29/30] is time-consuming so that's not a solution for a quick workaround. 

The ask would be : 

1. Can undertow-core only be upgraded in the wildfly suite?
2. Is 2.3.5/2.3.10 supported in Wildfly-24?

Regards

Shwetabh Srijan

[Richard Opalka]

Hello Shwetabh,

   There's an Undertow API being used inside the WildFly Undertow subsystem,

and this must be properly synchronized. This said it is not recommended

(and highly probably it will not work) to upgrade Undertow jars this way.

The correct approach is to migrate to newer WildFly versions.

Rio

--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/13f4283f-129b-469a-a2e4-10f34b308a1cn%40googlegroups.com.

[John Saccoccio]

Another thread suggested a successful upgrade of undertow was possible, but our (my) effort was unsuccessful and pretty much a complete waste of time and effort.  We simply downgraded the JDK minor version (to openjdk-11.0.15) as recommended for a very simple and successful fix until possible to allocate the resources necessary to embark on a massive platform upgrade (if ever?)

[Darran Lofthouse]

FYI it would generally be advisable to factor in plans to keep your WildFly versions up to date with the latest so that you are able to benefit from the most recent fixes and CVEs.  The Jakarta namespace change has not helped but in general this would help avoid the need for a large migration at the time some other fix is required.

[Arjun Lodhe]

Hello everyone,

We tried to manually replace the "undertow-core-2.2.19.Final.jar" with  "undertow-core-2.2.24.Final.jar" on wildfly26.1.3 and successfully able to do it.

Can anyone please confirm if directly replacing the Wildfly jar can cause some unknown problems(so far we have noticed none).

Also, in exactly which version of Wildfly this CVE is fixed?

Regards,

Arjun

[Darran Lofthouse]

Unfortunately yes replacing components in the application server could risk causing "unknown problems" - when we process component upgrades we run various testsuites to help us understand if they trigger any regressions in our known tests.  But if you are not seeing any issues maybe you are Ok.

The Undertow upgrade came through WildFly Core 20.0.0.Final:

https://issues.redhat.com/browse/WFCORE-6272

Which in turn was included in WildFly 28.0.0.Beta1 and WildFly 28.0.0.Final:

https://issues.redhat.com/browse/WFLY-17846

[Arjun Lodhe]

Thank you for the response Darran.

The link which you shared talks about undertow upgrade from 2.3.4 to 2.3.5:

https://issues.redhat.com/browse/WFCORE-6272

But I want to know in which exact version of Wildfly,  "undertow-core-2.2.19.Final.jar" jar is upgraded to "undertow-core-2.2.24.Final.jar"?

I can see in Wildfly 26.1.3 its "undertow-core-2.2.19.Final.jar and in Wildfly 27.0.0 its "undertow-core-2.3.0.Final.jar But I want to know the minimal version where this specific jar was changed to :"undertow-core-2.2.24.Final.jar. This will assist us in planning the minimal necessary upgrade for Wildfly.

Regards,

Arjun

[Darran Lofthouse]

I don't see any issues upgrading WildFly to 2.2.24, the first upgrade I see is the one that took it to 2.3.5 so WildFly 28 would be the first version to contain the fix for the associated CVE