[
https://issues.apache.org/jira/browse/CXF-8734?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andriy Redko updated CXF-8734:
------------------------------
Fix Version/s: 4.0.0
3.6.0
3.5.4
3.4.9
> upgrade to undertow 2.2.15 or later
> -----------------------------------
>
> Key: CXF-8734
> URL: https://issues.apache.org/jira/browse/CXF-8734
> Project: CXF
> Issue Type: Improvement
> Reporter: Kripal Deb Barman
> Priority: Major
> Fix For: 4.0.0, 3.6.0, 3.5.4, 3.4.9
>
>
> Undertow contains a flaw with how certain calls are made over HTTP2.
> Invocation of an EJB can fail on the client side which will result in the
> invocation-timeout being hit. Successfully exploiting this can allow an
> attacker to trigger a denial-of-service (DoS).
> {*}Solution{*}: Fixed in
> [*2.2.15*|https://github.com/undertow-io/undertow/releases/tag/2.2.15.Final]
> by
> [this|https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2]
> commit.
> The latest stable releases are available
> [here|https://undertow.io/downloads.html].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
