How to disable Undertow from checking the server identity after the CVE-2022-4492 fix in EAP 7.4 Update 10

Solution Verified - Updated 13 Jun 2024

Environment

Red Hat Enterprise Application Platform (EAP) 7.4 Update 10

Issue

How to disable Undertow from checking the server identity after the CVE-2022-4492 fix in EAP 7.4 Update 10
After applying Update 10 to EAP 7.4 , Undertow now checks the server identity , how do we disable this?

CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client

Resolution

Setting the system property io.undertow.client.https.disableEndpointIdentification to true will enable the old less secure behaivor.

On the command line:

-Dio.undertow.client.https.disableEndpointIdentification=true

Configuring using the JBoss CLI

[standalone@embedded /] /system-property=io.undertow.client.https.disableEndpointIdentification:add(value=true)

Configuring in the EAP profile xml

<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:16.0">
...
    <system-properties>
        <property name="io.undertow.client.https.disableEndpointIdentification" value="true"/>
    </system-properties>
...

Root Cause

[1] https://access.redhat.com/security/cve/cve-2022-4492

SBR

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Learn more

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.