How to patch CVE-2022-1259 for WildFly 26.1.3?

[Chiyu]

Hi, I am trying to find a way to patch CVE-2022-1259 for WildFly 26.1.3, we can't upgrade to 28.0.1 Final that has the fix since we need to stay on Jakarta EE8, is there any way we can patch it ourself and how to I verify the patch.

Thanks.

[Jose Socola]

I think u can try to update undetown module to 2.2.33 version, we have 2.2.28 version in prd environments and works fine.

Regards,

JS

On Tue, Jul 2, 2024 at 1:11 PM Chiyu <chiyur...@gmail.com> wrote:

Hi, I am trying to find a way to patch CVE-2022-1259 for WildFly 26.1.3, we can't upgrade to 28.0.1 Final that has the fix since we need to stay on Jakarta EE8, is there any way we can patch it ourself and how to I verify the patch.

Thanks.

--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/9bcd3c52-2e96-43a1-94a0-11de89146fa9n%40googlegroups.com.

[Chiyu]

Thanks for the info I can build WildFly 26.1.3 Final with undertow 2.2.33 Final but I can't find confirmation that 2.2.33 Final contains fix for CVE-2022-1259, is there a place I can find what vulnerabilities is resolved in each undertow build?

Thanks.

[Bartosz Baranowski]

You can always check source: https://github.com/undertow-io/undertow/pull/1483/commits/620d934b5105b5425e28e8b6b798d52c99497f3b

https://github.com/undertow-io/undertow/compare/2.2.24.Final...2.2.26.Final

[Chiyu]

Great, just what I'm looking for.

Thanks for the info.