CVE-2022-4492
Description
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Undertow client fails to verify server certificate hostname in HTTPS connections, enabling man-in-the-middle attacks.
The Undertow HTTP client does not check the server identity presented in the server certificate during HTTPS connections, meaning it fails to verify that the certificate's subject matches the hostname being connected to [1][2]. This is a compulsory step in TLS and HTTP/2 protocols.
An attacker in a position to intercept network traffic (e.g., on a shared network or through DNS spoofing) can present a forged certificate. The client will accept it, allowing the attacker to decrypt, read, or modify the data in transit [3].
The impact is severe: all data transmitted via HTTPS by the Undertow client is exposed, including authentication credentials, API keys, and sensitive information. This affects Red Hat JBoss Enterprise Application Platform and other products using Undertow [1][3].
Red Hat has issued patches in JBoss EAP 7.4.10 and corresponding RHEL versions (RHSA-2023:1512-1516) [3]. The fix adds endpoint identification algorithm verification [4]. Users should update to patched versions immediately.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.undertow:undertow-coreMaven | >= 2.3.0, < 2.3.5.Final | 2.3.5.Final |
io.undertow:undertow-coreMaven | < 2.2.24.Final | 2.2.24.Final |
Affected products
2- undertow/undertowdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- github.com/advisories/GHSA-pfcc-3g6r-8rg8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-4492ghsaADVISORY
- access.redhat.com/security/cve/CVE-2022-4492ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.javaghsaWEB
- github.com/undertow-io/undertow/pull/1447ghsaWEB
- github.com/undertow-io/undertow/pull/1447/commits/e5071e52b72529a14d3ec436ae7102cea5d918c4ghsaWEB
- github.com/undertow-io/undertow/pull/1457ghsaWEB
- github.com/undertow-io/undertow/pull/1457/commits/a4d3b167126a803cc4f7fb740dd9a6ecabf59342ghsaWEB
- issues.redhat.com/browse/MTA-93ghsaWEB
- issues.redhat.com/browse/UNDERTOW-2212ghsaWEB
- security.netapp.com/advisory/ntap-20230324-0002ghsaWEB
- security.netapp.com/advisory/ntap-20230324-0002/mitre
News mentions
0No linked articles in our index yet.