undertow is vulnerable to HTTP Smuggling attacks. The library does not verify that messages do not contain invalid headers, allowing a malicious user to conduct http smuggling that can lead to cross-site scripting attacks.
rhn.redhat.com/errata/RHSA-2017-1409.html
www.securityfocus.com/bid/98966
access.redhat.com/errata/RHSA-2017:1410
access.redhat.com/errata/RHSA-2017:1411
access.redhat.com/errata/RHSA-2017:1412
access.redhat.com/errata/RHSA-2017:3454
access.redhat.com/errata/RHSA-2017:3455
access.redhat.com/errata/RHSA-2017:3456
access.redhat.com/errata/RHSA-2017:3458
bugzilla.redhat.com/show_bug.cgi?id=1436163
bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666
issues.jboss.org/browse/UNDERTOW-1101
www.debian.org/security/2017/dsa-3906