|
|
Log in / Subscribe / Register

Ubuntu alert USN-8144-1 (undertow)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-8144-1] Undertow vulnerability


Date:
              Thu, 02 Apr 2026 08:35:35 +0000


Message-ID:
              <E1w8DWZ-0002Sh-Ox@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-8144-1
April 02, 2026

undertow vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Undertow would allow unintended access to user sessions over the network.

Software Description:
- undertow: Java web server based on non-blocking IO

Details:

It was discovered that Undertow incorrectly validated the Host header in
incoming HTTP requests. A remote attacker could possibly use this issue
to gain unintended access to user sessions.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  libundertow-java                2.3.8-2ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  libundertow-java                2.2.16-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  libundertow-java                2.0.29-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  libundertow-java                1.4.23-3ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  libundertow-java                1.3.16-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8144-1
  CVE-2025-12543




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmnOKjsACgkQcpJm3tlz
hgHoNRAA0DPFQ6XcdG/R/Qe3SwSd9mO8XlyegHXNmWqLvVFwZMJWzx7FpK3r/8M5
XIn9mdGtU7V1RsLQ8WWTDz7K843qBF4cQKwj+NKRkUH2yQh6LiybcHBvQ6Q6+IQy
B686yV5u1gmHMFL7gpG0H1HaNlck4zSFtaDM+Jt3dHwwD/tUJlUmRpA+XGI/DPwu
Uxym2jseCVevvsi/kxTUs0yd/8FE0aBbFVbukLtLTtpfINNedhgbJKDFA6DBsWKI
PMPZqujLTU6oLF0e+uwVpKU7xXvLep5ALC097WoPtDwzLQrg/KTZpuhlPFMfuB4+
+8MsT+UlF36kZV8LMqfTFqZ8P04CmdYabnhviLVt5p6hWoHwWDsHjWjUICAp39FH
hnbUKwWua7irYReEaOu7CWpE5EkqttV1tDF4n6VhqskGCq/6KgS1oNy5vD0fWOdB
nVubhnPQKfFt++yTTfh86YgqinitYMvkYWTVWFXk0RKEug92uIikQ61pxvsNFzp1
SxW5Yx45nl15URKhRV4rpBua+V+I2QidPe5GzNrcRVyHmA17HmCLh3vKxZnn6hl6
MJUt5AOcSTZ8YTTdTixDkS4kcDF4C7DbyHt67YXo4CU+Ge7UGUin38RYioZQ4ZVQ
HJd0Zpxa1GLED4zISQGNuRXfAihg7Rf2zvwE5g3FQMKckhZxzWs=
=8bp7
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds