Patch needed for WF 10.1.0.Final for CVE-2016-4970 -------------------------------------------------- Key: WFLY-9209 URL: https://issues.jboss.org/browse/WFLY-9209 Project: WildFly Issue Type: Bug Affects Versions: 10.1.0.Final Reporter: John Hovell Assignee: Jason Greene Several 3rd party security scanners we use flag Wildfly 10.1.0.Final as containing the following DoS vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2016-4970 I have found a Redhat errata and bugzilla but neither references Wildfly specifically nor does CVE-2016-4970 turn up on a search here in Jira. https://access.redhat.com/security/cve/cve-2016-4970 https://bugzilla.redhat.com/show_bug.cgi?id=1343616 I am trying to understand if Wildfly team believes WF 10.1.0 is vulnerable and if so if it should be patched. I understand that WF 11 has an upgraded version of Netty which is not vulnerable to this CVE, but it is still in beta and security patches shouldn't need a major version upgrade. I am also trying to understand the official channel that the Wildfly project uses to track security errata as a search for "CVE" here only turns up ~3 other issues. Are the above Redhat links the place to look? And if so should Wildfly be marked as not affected, or why do they only refer to very very old versions of JBoss? I'd still be confused however how WF wouldn't be affected as it seems to contain wildfly/modules/system/layers/base/io/netty/main/netty-all-4.0.33.Final.jar which does not appear to be back-ported with a fix.