CVE-2024-3653

Publication date 8 July 2024

Last updated 24 July 2024

Ubuntu priority

A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
undertow	24.10 oracular	Needs evaluation
	24.04 LTS noble	Needs evaluation
	23.10 mantic	Not in release
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2024-3653
https://bugzilla.redhat.com/show_bug.cgi?id=2274437
https://access.redhat.com/security/cve/CVE-2024-3653
https://access.redhat.com/errata/RHSA-2024:4392