[ https://issues.apache.org/jira/browse/CXF-8734?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andriy Redko updated CXF-8734: ------------------------------ Fix Version/s: 4.0.0 3.6.0 3.5.4 3.4.9 > upgrade to undertow 2.2.15 or later > ----------------------------------- > > Key: CXF-8734 > URL: https://issues.apache.org/jira/browse/CXF-8734 > Project: CXF > Issue Type: Improvement > Reporter: Kripal Deb Barman > Priority: Major > Fix For: 4.0.0, 3.6.0, 3.5.4, 3.4.9 > > > Undertow contains a flaw with how certain calls are made over HTTP2. > Invocation of an EJB can fail on the client side which will result in the > invocation-timeout being hit. Successfully exploiting this can allow an > attacker to trigger a denial-of-service (DoS). > {*}Solution{*}: Fixed in > [*2.2.15*|https://github.com/undertow-io/undertow/releases/tag/2.2.15.Final] > by > [this|https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2] > commit. > The latest stable releases are available > [here|https://undertow.io/downloads.html]. -- This message was sent by Atlassian Jira (v8.20.10#820010)