[jboss-jira] [JBoss JIRA] (WFLY-9209) Patch needed for WF 10.1.0.Final for CVE-2016-4970

Tomaz Cerar (JIRA) issues at jboss.org
Tue Aug 8 08:18:00 EDT 2017 

    [ https://issues.jboss.org/browse/WFLY-9209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13445618#comment-13445618 ] 

Tomaz Cerar commented on WFLY-9209:
-----------------------------------

Netty that is part of WildFly is not used for web server, 
is there as dependency to artemis messaging component.
As such it is isolated to uses within artemis and not directly exposed to the world.

Our webserver component is Undertow.

For CVEs, the Red Hat security advisory is the main place to look, from there, you can find links to various issue trackers also to WildFly if CVE affects it.

Btw, how do 3rd party scanners flag this problem in WildFly? Via testing the exploit on https port or by just scanning the jars of the server and looking into versions of components?

> Patch needed for WF 10.1.0.Final for CVE-2016-4970
> --------------------------------------------------
>
>                 Key: WFLY-9209
>                 URL: https://issues.jboss.org/browse/WFLY-9209
>             Project: WildFly
>          Issue Type: Bug
>    Affects Versions: 10.1.0.Final
>            Reporter: John Hovell
>            Assignee: Jason Greene
>
> Several 3rd party security scanners we use flag Wildfly 10.1.0.Final as containing the following DoS vulnerability:
> https://nvd.nist.gov/vuln/detail/CVE-2016-4970
> I have found a Redhat errata and bugzilla but neither references Wildfly specifically nor does CVE-2016-4970 turn up on a search here in Jira.
> https://access.redhat.com/security/cve/cve-2016-4970 
> https://bugzilla.redhat.com/show_bug.cgi?id=1343616 
> I am trying to understand if Wildfly team believes  WF 10.1.0 is vulnerable and if so if it should be patched. I understand that WF 11 has an upgraded version of Netty which is not vulnerable to this CVE, but it is still in beta and security patches shouldn't need a major version upgrade.
> I am also trying to understand the official channel that the Wildfly project uses to track security errata as a search for "CVE" here only turns up ~3 other issues. Are the above Redhat links the place to look? And if so should Wildfly be marked as not affected, or why do they only refer to very very old versions of JBoss? I'd still be confused however how WF wouldn't be affected as it seems to contain wildfly/modules/system/layers/base/io/netty/main/netty-all-4.0.33.Final.jar which does not appear to be back-ported with a fix.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list