Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-6057

Upgrade Undertow to 2.3.0.Final (CVE-2022-2764)

    XMLWordPrintable

Details

    • Component Upgrade
    • Resolution: Done
    • Blocker
    • 19.0.0.Final
    • None
    • None

    Description

      Upgrade Undertow to 2.3.0.Final, containing both Servlet 6 and WebSockets 2.1 final

      Upgrade Undertow from 2.3.0.Beta1 to 2.3.0.Final
      Diff: https://github.com/undertow-io/undertow/compare/2.3.0.Beta1...2.3.0.Final

      Release: https://issues.redhat.com/projects/UNDERTOW/versions/12384184
       

      Full list of Jiras: https://issues.redhat.com/browse/UNDERTOW-2095?jql=project%20%3D%20Undertow%20AND%20fixVersion%20~%202.3.0.Final
      (includes Jiras that were added in Beta and Alpha)

      Solves CVE-2022-2764, and previous 2.3.0 Beta and Alpha upgrades also included CVE-2022-1259 and CVE-2022-1319

      Attachments

        Issue Links

          clones

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFLY-16230 Upgrade Undertow to 2.3.0.Alpha1

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          incorporates

          Sub-task - The sub-task of the issue UNDERTOW-2058 Session.getRequestURI() must return full URI not just request path

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Sub-task - The sub-task of the issue UNDERTOW-2084 Adjust ServletResponse.setCharacterEncoding() behavior after spec clarification

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Sub-task - The sub-task of the issue UNDERTOW-2085 Implement fallback locale to charset mapping if such mapping wasn't specified in DD

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Sub-task - The sub-task of the issue UNDERTOW-2086 ASYNC and REQUEST dispatch types must return redirected path -> servlet mapping

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Sub-task - The sub-task of the issue UNDERTOW-2087 All ServletContext modification methods must throw UnsupportedOperationException

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Sub-task - The sub-task of the issue UNDERTOW-2088 All SessionCookieConfig modification methods must throw IllegalStateException

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Sub-task - The sub-task of the issue UNDERTOW-2089 RFC 6265 treats the attributes of an RFC 2109 cookie as a separate cookies

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Feature Request - Feature requests from customers and/or users UNDERTOW-1593 Track processing time of in flight requests

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Feature Request - Feature requests from customers and/or users UNDERTOW-2051 Upgrade WebSocket API to 2.1.0

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Feature Request - Feature requests from customers and/or users UNDERTOW-2053 Upgrade Servlet to 6.0

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2079 CPU spinning in AbstractFramedStreamSinkChannel

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-1902 Undertow allows session creation and session ID change after response is committed.

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-1997 SecurityPathMatches fails to match default path ('/')

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2048 CVE-2022-2764 UndertowInputStream.close() blocks waiting to read= -1

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2069 Filter.destroy can deadlock with running filter on shutdown

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2082 HTTP/2 doesn't reassemble cookie headers violating rfc7540 8.1.2.5

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2142 ChunkedStreamSinkConduit write with a buffer array writes too few buffers

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2147 race condition between session invalidate and changeSessionId leads to UT000010

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-1934 onClose not called when network drops

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2034 Http2StreamSinkChannel.awaitWritable could throw "Out of control window" IOException before awaitWritable timeout has fully ellapsed

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2035 Http2StreamSinkChannel overrides awaitWritable() but does not override awaitWritable(long, TimeUnit)

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2036 AbstractFramedChannel.awaitWritable does not guard against spurious wakes

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2066 AbstractFramedChannel.freeNotifier checks for receivesSuspendedByUser instead of receivesSuspendedTooManyBuffers

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2068 AbstractFramedStreamSourceChannel read listener prevents read from running again

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2080 Use currentTimeMillis instead of nanoTime to measure times in awaitWritable

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2093 Fix spotbugs reported errors

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2094 Bad relative redirect is generated if app is mapped to trailing slash context

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2102 ServletPrintWriterDelegate throws exception using OpenJDK 19 EA

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2111 rewrite() handler doesn't guard against missing leading slash

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2116 ServletOutputStreamImpl incorrectly sets Content-Length to 0

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2135 Properly handle HTTP Continue with HTTP2 upgrade

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2140 SSLSessionInfo.calculateKeySize(String cipherSuite) doesn't account for all cipher suits

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2141 NPE in ServletContextImpl after session timed out

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2162 Query parameters should not be canonicalized in servlet path when get request dispatcher

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2163 Predicate Language cannot set attribute to empty string

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2166 When both IDLE_TIMEOUT and READ_TIMEOUT are configured the minimum of both should be used

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-1357 Difference between RequestProtocolAttribute and TransportProtocolAttribute

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2061 IP address filter with netmask not working as expected

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2083 bad read timeout message

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2159 InMemorySessionManager#getSession - null check inconsistency

          • Trivial - Cosmetic problem like misspelt words or misaligned text.
          • Closed

          Task - Represents a small unit of work that is not end-user facing. UNDERTOW-2049 Move Undertow to JDK11

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Task - Represents a small unit of work that is not end-user facing. UNDERTOW-2050 Move Undertow to Jakarta Specs by Default

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Task - Represents a small unit of work that is not end-user facing. UNDERTOW-2117 Fix issues found by SonarQube

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) UNDERTOW-1771 APIs deprecated in JDK 9+ are in use

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) UNDERTOW-1971 Change in handling of concurrent session creation with id reuse

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) UNDERTOW-2067 AbstractFramedChannel should hold from resuming reads immediately after max buffer queue is hit

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) UNDERTOW-2138 Remove JDK8 support from ALPN providers

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) UNDERTOW-2145 UndertowOutputStream and ServletOutputStreamImpl awaitWritable unnecessarily

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) UNDERTOW-2131 ContentEncodingRepository.getContentEncodings allocates many ArrayList iterators in hot path

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed
          is blocked by

          Task - Represents a small unit of work that is not end-user facing. WFLY-16987 Make Undertow dependencies be driven by WildFly Core

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFLY-16234 Upgrade Jakarta Servlet API to 6.0

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFLY-16235 Upgrade Jakarta WebSockets to 2.1

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is cloned by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFLY-17017 Upgrade Undertow to 2.3.0.Beta1

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          relates to

          Feature Request - Feature requests from customers and/or users WFLY-15698 Jakarta Servlet 6.0 in WildFly Preview

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Feature Request - Feature requests from customers and/or users WFLY-15700 Jakarta WebSocket 2.1 in WildFly Preview

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFCORE-6056 Upgrade Undertow to 2.3.0.Beta1

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              flaviarnn Flavia Rainone
              flaviarnn Flavia Rainone
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: