[JBoss JIRA] (WFLY-11887) [CVE-2016-3720]: Usage of vulnarable Jackson 1.9.13 libraries
by Brian Stansberry (Jira)
[ https://issues.jboss.org/browse/WFLY-11887?page=com.atlassian.jira.plugin... ]
Brian Stansberry updated WFLY-11887:
------------------------------------
Security: (was: Security Issue)
> [CVE-2016-3720]: Usage of vulnarable Jackson 1.9.13 libraries
> -------------------------------------------------------------
>
> Key: WFLY-11887
> URL: https://issues.jboss.org/browse/WFLY-11887
> Project: WildFly
> Issue Type: Bug
> Components: REST
> Affects Versions: 14.0.0.Final
> Reporter: Radoslav Ivanov
> Assignee: Brian Stansberry
> Priority: Blocker
> Fix For: 18.0.0.Final
>
>
> We have a couple of high prio vulnerabilities reported around usage of Jackson libraries on WildFly with regards to CVE-2016-3720:
> {code:java}
> jackson-core-asl-1.9.13.jar
> jackson-jaxrs-1.9.13.jar
> jackson-mapper-asl-1.9.13.jar
> jackson-xc-1.9.13.jar
> {code}
> Could you please review and remove/update them?
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years
[JBoss JIRA] (WFLY-12629) MicroProfile capability names are mangled "org.wildlfy..."
by Radoslav Husar (Jira)
[ https://issues.jboss.org/browse/WFLY-12629?page=com.atlassian.jira.plugin... ]
Radoslav Husar updated WFLY-12629:
----------------------------------
Description:
Namely:
org.wildlfy.microprofile.config
org.wildlfy.microprofile.health.reporter
org.wildlfy.extension.microprofile.metrics.wildfly-collector
Lets fix these up before we properly support this since WF 19.
was:
Namely:
org.wildlfy.microprofile.config
org.wildlfy.microprofile.health.reporter
org.wildlfy.extension.microprofile.metrics.wildfly-collector
> MicroProfile capability names are mangled "org.wildlfy..."
> ----------------------------------------------------------
>
> Key: WFLY-12629
> URL: https://issues.jboss.org/browse/WFLY-12629
> Project: WildFly
> Issue Type: Bug
> Components: MP Config, MP Health, MP Metrics
> Reporter: Radoslav Husar
> Assignee: Radoslav Husar
> Priority: Major
>
> Namely:
> org.wildlfy.microprofile.config
> org.wildlfy.microprofile.health.reporter
> org.wildlfy.extension.microprofile.metrics.wildfly-collector
> Lets fix these up before we properly support this since WF 19.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years
[JBoss JIRA] (WFLY-12629) MicroProfile capability names are mangled "org.wildlfy..."
by Radoslav Husar (Jira)
Radoslav Husar created WFLY-12629:
-------------------------------------
Summary: MicroProfile capability names are mangled "org.wildlfy..."
Key: WFLY-12629
URL: https://issues.jboss.org/browse/WFLY-12629
Project: WildFly
Issue Type: Bug
Components: MP Config, MP Health, MP Metrics
Reporter: Radoslav Husar
Assignee: Radoslav Husar
Namely:
org.wildlfy.microprofile.config
org.wildlfy.microprofile.health.reporter
org.wildlfy.extension.microprofile.metrics.wildfly-collector
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years
[JBoss JIRA] (WFLY-12614) Duplicated ConstraintViolation message
by Ronald Sigal (Jira)
[ https://issues.jboss.org/browse/WFLY-12614?page=com.atlassian.jira.plugin... ]
Ronald Sigal commented on WFLY-12614:
-------------------------------------
[~brian.stansberry], I did the validation integration years ago, which has some peculiar twists and turns, mainly because of CDI interfering with the order of things. I've tracked down edge cases over the years, so much so that I'm reminded of Captain Ahab: "He tasks me; he heaps me; I see in him outrageous strength, with an inscrutable malice sinewing it." ;-)
I'll take a look.
> Duplicated ConstraintViolation message
> --------------------------------------
>
> Key: WFLY-12614
> URL: https://issues.jboss.org/browse/WFLY-12614
> Project: WildFly
> Issue Type: Bug
> Components: Bean Validation, REST
> Affects Versions: 17.0.1.Final, 18.0.0.Beta1
> Reporter: Robin Schimpf
> Assignee: Alessio Soldano
> Priority: Major
> Attachments: wildfly-bug.zip
>
>
> We currently are upgrading our application from Wildfly 13 to Wildfly 17.0.1 and are receiving duplicated constraint violations in the response of an invalid request.
> Interestingly Wildfly 13 also seems to be not behaving correctly on the third request but in another way. There is the violation exception returned in the response instead of the duplicated value Wildfly 17 is returning now.
> I also tested this on the currently available Wildfly 18 Beta 1 and the issue is also reproducible.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years
[JBoss JIRA] (WFWIP-189) Operator is not aware of Secret/ConfigMap updates (WildFlyServerSpec#envFrom) - this could lead to inconsistencies
by Jeff Mesnil (Jira)
[ https://issues.jboss.org/browse/WFWIP-189?page=com.atlassian.jira.plugin.... ]
Jeff Mesnil commented on WFWIP-189:
-----------------------------------
This problem is not specific to the operator and is something inherent to Kubernetes.
There are various approaches to mitigate this issue and they all seem ad hoc...
The solution mentioned in https://blog.questionable.services/article/kubernetes-deployments-configm... is not sufficient. It requires to watch for any config map / secrets that the application references and compute their checksum and put that info in the WildFlyServer resources. This goes beyond what the operator should deal with (and still leaves some windows that would result in inconsistencies between pods).
As far as I can tell the best way to mitigate that issue is to "version" the names of the config maps referenced by the operator.
Eg.
{code}
spec:
envFrom:
- configMapRef:
name: my-config-1
{code}
If a change must be made to the config map, it can be copied to another config map named config-2.
Then the WildFlyServer Spec can be updated with that info:
{code}
spec:
envFrom:
- configMapRef:
name: my-config-2
{code}
I don't think the operator should change the semantic and behaviour of the existing Kubernetes resources. it should comply with it and works in a way that is consistent with Kubernetes. It is known that updating a config map will not trigger a rollout of a deployment (even more so any change in a statefulset).
> Operator is not aware of Secret/ConfigMap updates (WildFlyServerSpec#envFrom) - this could lead to inconsistencies
> ------------------------------------------------------------------------------------------------------------------
>
> Key: WFWIP-189
> URL: https://issues.jboss.org/browse/WFWIP-189
> Project: WildFly WIP
> Issue Type: Bug
> Components: OpenShift
> Reporter: Petr Kremensky
> Assignee: Jeff Mesnil
> Priority: Blocker
> Labels: operator
>
> User is able to share environment variables in a ConfigMap or Secret and pass it to Operator via [WildFlyServerSpec#envFrom|https://github.com/wildfly/wildfly-operator/blo...] field. Problem is, that Operator is not aware of changes in Secret/ConfigMap (only reference change is recognized - add or remove ConfigMap/Secret reference). This could lead to inconsistency of environment between pods in a single project (moreover this could lead also to inconsistency between projects in case that ConfigMap/Secret is shared by them).
> The reaction on ConfigMap/Secret content should be doable, see https://blog.questionable.services/article/kubernetes-deployments-configm...
> *reproduce*
> * create a config map with ("foo1", "bar1") entry
> * create an operator (size = 1) with a reference to the config map
> * update the config map - add ("foo2", "bar2") entry
> * resize the operator
> *actual*
> {code}
> $ oc get pods
> NAME READY STATUS RESTARTS AGE
> eap-cd-0 1/1 Running 0 112s
> eap-cd-1 1/1 Running 0 94s
> wildfly-operator-55b544c4bb-wts8l 1/1 Running 0 2m1s
> $ oc rsh pod/eap-cd-0
> sh-4.4$ env | grep foo
> foo1=bar1
> $ oc rsh pod/eap-cd-1
> sh-4.4$ env | grep foo
> foo1=bar1
> foo2=bar2
> {code}
> *expected*
> {code}
> $ oc get pods
> NAME READY STATUS RESTARTS AGE
> eap-cd-0 1/1 Running 0 112s
> eap-cd-1 1/1 Running 0 94s
> wildfly-operator-55b544c4bb-wts8l 1/1 Running 0 2m1s
> $ oc rsh pod/eap-cd-0
> sh-4.4$ env | grep foo
> foo1=bar1
> foo2=bar2
> $ oc rsh pod/eap-cd-1
> sh-4.4$ env | grep foo
> foo1=bar1
> foo2=bar2
> {code}
> *Environment:*
> *operator version:* [467407a|https://github.com/wildfly/wildfly-operator/commit/467407a6c21102...]
> *openshift version:*
> {noformat}
> OpenShift version: 4.1.11
> Kubernetes Master Version: v1.13.4+df9cebc
> {noformat}
> Out of curiosity, is there is way to rollout the pods manually as {{oc rollout}} was designed for DeploymentConfigs and cannot be used here?
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years