CVE-2022-4492: Undertow client not checking server identity presented by server certificate in https connections
(updated )
The undertow client is not checking the server identity presented by the server certificate in https connections. This should be performed by default in https and in http/2.
References
- access.redhat.com/security/cve/CVE-2022-4492
- bugzilla.redhat.com/show_bug.cgi?id=2153260
- github.com/advisories/GHSA-pfcc-3g6r-8rg8
- github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.java
- github.com/undertow-io/undertow/pull/1447
- github.com/undertow-io/undertow/pull/1447/commits/e5071e52b72529a14d3ec436ae7102cea5d918c4
- github.com/undertow-io/undertow/pull/1457
- github.com/undertow-io/undertow/pull/1457/commits/a4d3b167126a803cc4f7fb740dd9a6ecabf59342
- issues.redhat.com/browse/MTA-93
- issues.redhat.com/browse/UNDERTOW-2212
- nvd.nist.gov/vuln/detail/CVE-2022-4492
- security.netapp.com/advisory/ntap-20230324-0002
Detect and mitigate CVE-2022-4492 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →