A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "Fixed in 2.3.0.Final, 2.2.18.Final, 2.2.17.SP3, 2.2.17.SP4, 2.3.0.Alpha2"
},
{
"last_affected": "Fixed in 2.3.0.Final, 2.2.18.Final, 2.2.17.SP3, 2.2.17.SP4, 2.3.0.Alpha2"
}
]
}
],
"cwe_ids": [
"CWE-252"
],
"cna_assigner": "redhat",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/1xxx/CVE-2022-1319.json"
}{
"source": [
"CPE_RANGE",
"CPE_STRING",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "2.2.17"
},
{
"introduced": "2.2.17-NA"
},
{
"last_affected": "2.2.17-NA"
},
{
"introduced": "2.2.19-NA"
},
{
"last_affected": "2.2.19-NA"
},
{
"introduced": "2.3.0-alpha1"
},
{
"last_affected": "2.3.0-alpha1"
}
],
"cpe": [
"cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*",
"cpe:2.3:a:redhat:undertow:2.2.17:-:*:*:*:*:*:*",
"cpe:2.3:a:redhat:undertow:2.2.19:-:*:*:*:*:*:*",
"cpe:2.3:a:redhat:undertow:2.3.0:alpha1:*:*:*:*:*:*"
]
}