CVE-2022-4492 — Undertow client not checking server identity presented by server certificate in

Description

The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.

How to fix CVE-2022-4492

To remediate CVE-2022-4492, upgrade the affected package to a fixed version below.

—upgrade to 2.3.8-2 or later
—upgrade to 2.3.5.Final or later

Is CVE-2022-4492 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.3.8-2
>= 2.3.0, < 2.3.5.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-4492
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-4492
WEBaccess.redhat.com/security/cve/CVE-2022-4492
WEBbugzilla.redhat.com/show_bug.cgi?id=2153260