[jboss-jira] [JBoss JIRA] (WFLY-9209) Patch needed for WF 10.1.0.Final for CVE-2016-4970

John Hovell (JIRA) issues at jboss.org
Wed Aug 9 15:33:00 EDT 2017 

    [ https://issues.jboss.org/browse/WFLY-9209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13447001#comment-13447001 ] 

John Hovell commented on WFLY-9209:
-----------------------------------

[~ctomc] - I have only tried image scanners that recognize JARs or OS packages that have been flagged in CVEs. It does not attempt any runtime exploit.

[~sannegrinovero] this is a reported CVE that has been public for over a year. I think based on what [~ctomc] is saying WF shouldn't actually be affected. I am just looking for some written documentation of that fact via an errata. The linked you provide states:

You should contact Red Hat Global Support Services if:

- You are unsure about how a known vulnerability affects a Red Hat product or service.

So I should contact Red Hat Global Support Services and not Red Hat Product Security?



> Patch needed for WF 10.1.0.Final for CVE-2016-4970
> --------------------------------------------------
>
>                 Key: WFLY-9209
>                 URL: https://issues.jboss.org/browse/WFLY-9209
>             Project: WildFly
>          Issue Type: Bug
>    Affects Versions: 10.1.0.Final
>            Reporter: John Hovell
>            Assignee: Jason Greene
>
> Several 3rd party security scanners we use flag Wildfly 10.1.0.Final as containing the following DoS vulnerability:
> https://nvd.nist.gov/vuln/detail/CVE-2016-4970
> I have found a Redhat errata and bugzilla but neither references Wildfly specifically nor does CVE-2016-4970 turn up on a search here in Jira.
> https://access.redhat.com/security/cve/cve-2016-4970 
> https://bugzilla.redhat.com/show_bug.cgi?id=1343616 
> I am trying to understand if Wildfly team believes  WF 10.1.0 is vulnerable and if so if it should be patched. I understand that WF 11 has an upgraded version of Netty which is not vulnerable to this CVE, but it is still in beta and security patches shouldn't need a major version upgrade.
> I am also trying to understand the official channel that the Wildfly project uses to track security errata as a search for "CVE" here only turns up ~3 other issues. Are the above Redhat links the place to look? And if so should Wildfly be marked as not affected, or why do they only refer to very very old versions of JBoss? I'd still be confused however how WF wouldn't be affected as it seems to contain wildfly/modules/system/layers/base/io/netty/main/netty-all-4.0.33.Final.jar which does not appear to be back-ported with a fix.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list