[jboss-jira] [JBoss JIRA] (WFLY-9209) Patch needed for WF 10.1.0.Final for CVE-2016-4970
John Hovell (JIRA)
issues at jboss.org
Mon Aug 7 20:04:00 EDT 2017
John Hovell created WFLY-9209:
---------------------------------
Summary: Patch needed for WF 10.1.0.Final for CVE-2016-4970
Key: WFLY-9209
URL: https://issues.jboss.org/browse/WFLY-9209
Project: WildFly
Issue Type: Bug
Affects Versions: 10.1.0.Final
Reporter: John Hovell
Assignee: Jason Greene
Several 3rd party security scanners we use flag Wildfly 10.1.0.Final as containing the following DoS vulnerability:
https://nvd.nist.gov/vuln/detail/CVE-2016-4970
I have found a Redhat errata and bugzilla but neither references Wildfly specifically nor does CVE-2016-4970 turn up on a search here in Jira.
https://access.redhat.com/security/cve/cve-2016-4970
https://bugzilla.redhat.com/show_bug.cgi?id=1343616
I am trying to understand if Wildfly team believes WF 10.1.0 is vulnerable and if so if it should be patched. I understand that WF 11 has an upgraded version of Netty which is not vulnerable to this CVE, but it is still in beta and security patches shouldn't need a major version upgrade.
I am also trying to understand the official channel that the Wildfly project uses to track security errata as a search for "CVE" here only turns up ~3 other issues. Are the above Redhat links the place to look? And if so should Wildfly be marked as not affected, or why do they only refer to very very old versions of JBoss? I'd still be confused however how WF wouldn't be affected as it seems to contain wildfly/modules/system/layers/base/io/netty/main/netty-all-4.0.33.Final.jar which does not appear to be back-ported with a fix.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list