2:43 a.m.
Le 17/07/2024 à 17:12, Pawan Verma -X (pawverma - INFOSYS LIMITED at Cisco) via
wildfly-dev a écrit :
We are seeing some critical and high vulnerabilities in some of the packages which are
bundled along with wildfly 32.0.1.Final
1. dom4j:1.6 --> CVE-2020-10683 (critical)
2. aws-java-sdk-s3:1.11.750 --> CVE-2022-45688 (high)
3. json , version 20201115 --> CVE-2022-45688 (high)
4. undertow-core, version 2.3.12.Final --> CVE-2024-6162 (high)
5. xnio-api, version 3.8.13.Final --> CVE-2023-5685 (high)
6. activemq-artemis-native, version 2.0.0 --> CVE-2022-41678 (high)
This is wrong, it is not the native part that is for this CVE but the jokolia
support which we don't provide
7. spring-web, version 6.1.5 --> CVE-2024-22262 (high)
Not provided by us
8. wildfly-elytron-realm-token, version 2.2.3.Final -->
CVE-2024-1233 (high)
9. soap, version 2.3.1 --> CVE-2022-45378
Any guidance on how we can rectify these vulnerabilities while using wildfly
32.0.1.Final
Thanks,
Pawan
_______________________________________________
wildfly-dev mailing list -- wildfly-dev(a)lists.jboss.org
To unsubscribe send an email to wildfly-dev-leave(a)lists.jboss.org
Privacy Statement: https://www.redhat.com/en/about/privacy-policy
List Archives:
https://lists.jboss.org/archives/list/wildfly-dev@lists.jboss.org/message...
8:56 a.m.
New subject: Vulnerabilities in wildfly version 32.0.1.Final
On Thu, Jul 18, 2024 at 2:44 AM Emmanuel Hugonnet <ehugonne(a)redhat.com>
wrote:
Le 17/07/2024 à 17:12, Pawan Verma -X (pawverma - INFOSYS LIMITED at
Cisco) via wildfly-dev a écrit :
>
> We are seeing some critical and high vulnerabilities in some of the
packages which are bundled along with wildfly 32.0.1.Final
>
> 1. dom4j:1.6 --> CVE-2020-10683 (critical)
>
This is not provided by a WildFly server. We do use dom4j in our testsuite,
but not as part of the server.
2. aws-java-sdk-s3:1.11.750 --> CVE-2022-45688 (high)
>
We use version 2.20.126 in 32.0.1. Also CVE-2022-45688 doesn't seem related
to this library.
3. json , version 20201115 --> CVE-2022-45688 (high)
>
CVE-2022-45688 doesn't seem related to this library., although I'm not sure
what library this line refers to.
> 4. undertow-core, version 2.3.12.Final --> CVE-2024-6162
(high)
>
This is fixed in Undertow 2.3.15, which will be in the imminent
33.0.0.Final. 32.0.1 uses 2.3.13.
5. xnio-api, version 3.8.13.Final --> git l (high)
>
This was fixed in 32.0.1.Final via
https://issues.redhat.com/browse/WFCORE-6738.
6. activemq-artemis-native, version 2.0.0 --> CVE-2022-41678
(high)
>
This is wrong, it is not the native part that is for this CVE but the
jokolia support which we don't provide
> 7. spring-web, version 6.1.5 --> CVE-2024-22262 (high)
>
Not provided by us
> 8. wildfly-elytron-realm-token, version 2.2.3.Final --> CVE-2024-1233
(high)
>
This was fixed in 32.0.1 via https://issues.redhat.com/browse/WFCORE-6780
and https://issues.redhat.com/browse/WFCORE-6787.
9. soap, version 2.3.1 --> CVE-2022-45378
>
We don't use Apache SOAP.
> Any guidance on how we can rectify these vulnerabilities while using
wildfly 32.0.1.Final
>
> Thanks,
>
> Pawan
>
>
> _______________________________________________
> wildfly-dev mailing list -- wildfly-dev(a)lists.jboss.org
> To unsubscribe send an email to wildfly-dev-leave(a)lists.jboss.org
> Privacy Statement: https://www.redhat.com/en/about/privacy-policy
> List Archives:
https://lists.jboss.org/archives/list/wildfly-dev@lists.jboss.org/message...
_______________________________________________
wildfly-dev mailing list -- wildfly-dev(a)lists.jboss.org
To unsubscribe send an email to wildfly-dev-leave(a)lists.jboss.org
Privacy Statement: https://www.redhat.com/en/about/privacy-policy
List Archives:
https://lists.jboss.org/archives/list/wildfly-dev@lists.jboss.org/message...
--
Brian Stansberry
Principal Architect, Red Hat JBoss EAP
WildFly Project Lead
He/Him/His
175
days inactive
175
days old
1 comments
2 participants
participants (2)
-
Brian Stansberry -
Emmanuel Hugonnet