{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-1319", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-03T00:03:05.119Z", "dateReserved": "2022-04-12T00:00:00", "datePublished": "2022-08-31T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2022-10-14T00:00:00"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG."}], "affected": [{"vendor": "n/a", "product": "undertow", "versions": [{"version": "Fixed in 2.3.0.Final, 2.2.18.Final, 2.2.17.SP3, 2.2.17.SP4, 2.3.0.Alpha2", "status": "affected"}]}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073890"}, {"url": "https://issues.redhat.com/browse/UNDERTOW-2060"}, {"url": "https://github.com/undertow-io/undertow/commit/1443a1a2bbb8e32e56788109d8285db250d55c8b"}, {"url": "https://github.com/undertow-io/undertow/commit/7c5b3ab885b5638fd3f1e8a935d5063d68aa2df3"}, {"url": "https://access.redhat.com/security/cve/CVE-2022-1319"}, {"url": "https://security.netapp.com/advisory/ntap-20221014-0006/"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-252 - Unchecked Return Value.", "cweId": "CWE-252"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:03:05.119Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073890", "tags": ["x_transferred"]}, {"url": "https://issues.redhat.com/browse/UNDERTOW-2060", "tags": ["x_transferred"]}, {"url": "https://github.com/undertow-io/undertow/commit/1443a1a2bbb8e32e56788109d8285db250d55c8b", "tags": ["x_transferred"]}, {"url": "https://github.com/undertow-io/undertow/commit/7c5b3ab885b5638fd3f1e8a935d5063d68aa2df3", "tags": ["x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2022-1319", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20221014-0006/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*", "matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1470237-30DB-4A05-8148-621CEE66EA57", "versionEndExcluding": "2.2.17", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:undertow:2.2.17:-:*:*:*:*:*:*", "matchCriteriaId": "FB2B656E-2229-4D16-B063-4D9456AEBF63", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:undertow:2.2.17:sp1:*:*:*:*:*:*", "matchCriteriaId": "04CA521E-1B46-44FB-AA69-309AC53A360A", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:undertow:2.2.17:sp2:*:*:*:*:*:*", "matchCriteriaId": "005FB2BF-CF38-4F91-A24B-96D72222192C", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:undertow:2.2.19:-:*:*:*:*:*:*", "matchCriteriaId": "269ECD35-C644-4B04-AAD3-D88F97CF0214", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:undertow:2.2.19:sp1:*:*:*:*:*:*", "matchCriteriaId": "C0692735-244D-415B-894C-1A64E0307FC4", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:undertow:2.3.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "F6DD3DE4-9C5D-4768-9414-C63D1D172B7F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*", "matchCriteriaId": "F0F202E8-97E6-4BBB-A0B6-4CA3F5803C08", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG."}, {"lang": "es", "value": "Se ha encontrado un fallo en Undertow. Para una respuesta AJP 400, EAP 7 env\u00eda inapropiadamente el flag de re\u00faso habilitado aunque JBoss EAP cierra la conexi\u00f3n. es producido un fallo cuando la conexi\u00f3n es reusada despu\u00e9s de un 400 por CPING ya que lee en el segundo paquete de respuesta SEND_HEADERS en lugar de un CPONG"}], "id": "CVE-2022-1319", "lastModified": "2022-11-07T19:09:46.767", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-31T16:15:09.410", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2022-1319"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073890"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/undertow-io/undertow/commit/1443a1a2bbb8e32e56788109d8285db250d55c8b"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/undertow-io/undertow/commit/7c5b3ab885b5638fd3f1e8a935d5063d68aa2df3"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://issues.redhat.com/browse/UNDERTOW-2060"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221014-0006/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-252"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-252"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:5532", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "undertow", "product_name": "Red Hat Fuse 7.11", "release_date": "2022-07-07T00:00:00Z"}, {"advisory": "RHSA-2022:4922", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "undertow", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1.0", "release_date": "2022-06-06T00:00:00Z"}, {"advisory": "RHSA-2022:4919", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-undertow-0:2.2.17-2.SP4_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2022-06-06T00:00:00Z"}, {"advisory": "RHSA-2022:4918", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-undertow-0:2.2.17-2.SP4_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2022-06-06T00:00:00Z"}, {"advisory": "RHSA-2022:7417", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6.1", "product_name": "Red Hat Single Sign-On 7.6.1", "release_date": "2022-11-03T00:00:00Z"}, {"advisory": "RHSA-2022:7409", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date": "2022-11-03T00:00:00Z"}, {"advisory": "RHSA-2022:7410", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date": "2022-11-03T00:00:00Z"}, {"advisory": "RHSA-2022:7411", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package": "rh-sso7-0:1-5.el9sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date": "2022-11-03T00:00:00Z"}, {"advisory": "RHSA-2022:7411", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package": "rh-sso7-javapackages-tools-0:6.0.0-7.el9sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date": "2022-11-03T00:00:00Z"}, {"advisory": "RHSA-2022:7411", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date": "2022-11-03T00:00:00Z"}, {"advisory": "RHSA-2022:8761", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "undertow", "product_name": "Text-Only RHOAR", "release_date": "2022-12-14T00:00:00Z"}], "bugzilla": {"description": "undertow: Double AJP response for 400 from EAP 7 results in CPING failures", "id": "2073890", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073890"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-252", "details": ["A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.", "A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG."], "name": "CVE-2022-1319", "package_state": [{"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Out of support scope", "package_name": "undertow", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "undertow", "product_name": "Red Hat Integration Service Registry"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "undertow", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Will not fix", "package_name": "undertow", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "undertow", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat Process Automation 7"}], "public_date": "2022-04-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-1319\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1319"], "threat_severity": "Moderate"}