CVE-2023-44487 reported in WildFly 24 and 25

[Heet Thakrar]

Hi Team,

I am using WildFly 25 for my application.

Is it possible for me to fix this vulnerability(CVE-2023-44487) without upgrading to latest WildFly 30 i.e. by just upgrading some of the jars which are affected?

I don't want to make changes in my application which is required when migrating to latest WildFly version.

Thanks and Regards,

Heet :)

[James Perkins]

Note that this suggestion is use at your own risk :) The combination of these components has not been tested, no guarantees can be made.

What you'd want to do is upgrade both Netty and Undertow. Netty should be at least 4.1.100.Final. Undertow should be 2.2.28.Final.

For Undertow you'll need to upgrade these libraries and the module.xml file to match the path for the new name:

modules/system/layers/base/io/undertow/
├── core
│   └── main
│       ├── module.xml
│       └── undertow-core-2.2.12.Final.jar
├── js
│   └── main
│       ├── module.xml
│       └── undertow-js-1.0.2.Final.jar
├── jsp
│   └── main
│       ├── jastow-2.0.9.Final.jar
│       └── module.xml
├── servlet
│   └── main
│       ├── module.xml
│       └── undertow-servlet-2.2.12.Final.jar
└── websocket
    └── main
        ├── module.xml
        └── undertow-websockets-jsr-2.2.12.Final.jar

Netty is a bit easier since those versions of WildFly use netty-all. Again you'll need to copy the new library to that directory and update the module.xml file to match the new path.

modules/system/layers/base/io/netty/
└── main
    ├── module.xml
    └── netty-all-4.1.68.Final.jar