Hi Colm and Grzegorz,
Based on the facts
1. The CVE got fixed since Undertow 2.2.0(not in 2.1.5).
2. since Undertow 2.1.0, there is no OSGi support
3. CXF 3.4.x uses Undertow 2.1.x already
4. CXF OSGi features.xml cxf-http-undertow feature reuse pax-http-undertow,
so always reuse the undertow version shipped with OPS4J PAX-WEB.
<feature name="cxf-http-undertow" version="${project.version}">
<feature version="${project.version}">cxf-http</feature>
<feature>pax-http-undertow</feature>
<bundle
start-level="40">mvn:org.apache.cxf/cxf-rt-transports-http-undertow/${project.version}</bundle>
<capability>
cxf.http.provider;name=undertow
</capability>
</feature>
So any upgrade to undertow 2.2.x won't affect the CXF behavior in OSGi,
though it's true that in OSGi very hard to pick up later undertow release.
In summary, I will upgrade undertow version to 2.23, at least outside OSGi
we can pick up this CVE fix.
Cheers
Freeman
On Fri, Jan 29, 2021 at 5:55 AM Colm O hEigeartaigh <[email protected]>
wrote:
> Hi Grzegorz,
>
> Thanks - I was hoping actually that 2.1.5 would have fixed the CVE, and
> the CVE information was out of date :-)
>
> Colm.
>
> On Fri, Jan 29, 2021 at 10:26 AM Grzegorz Grzybek <[email protected]>
> wrote:
>
>> Hello
>>
>> Seeing that Undertow 2.2 is mentioned, I'd just like to highlight that
>> it's no longer an OSGi bundle (see
>> https://issues.redhat.com/browse/UNDERTOW-1684) - if this matter at all
>> for CXF :)
>>
>> kind regards
>> Grzegorz Grzybek
>>
>> pt., 29 sty 2021 o 11:19 Colm O hEigeartaigh <[email protected]>
>> napisaĆ(a):
>>
>>> Hey Freeman,
>>>
>>> Can you check if the latest Undertow 2.1.x release (2.1.5) is still
>>> vulnerable to this CVE?
>>>
>>> https://nvd.nist.gov/vuln/detail/CVE-2020-10687
>>>
>>> If yes, can we update CXF to Undertow 2.2.x to avoid the CVE? I see Camel
>>> has already updated.
>>>
>>> Thanks,
>>>
>>> Colm.
>>>
>>
