It was found that the AJP connector in undertow, as shipped in Jboss
EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus
allow the the slash / anti-slash characters encoded in the url which
may lead to path traversal and result in the information disclosure of
arbitrary local files.
This was apparently fixed in 1.4.22.
This is the maintainer address of Debian's Java team
debian-j...@lists.debian.org for discussions and questions.