[jboss-jira] [JBoss JIRA] (WFLY-9209) Patch needed for WF 10.1.0.Final for CVE-2016-4970

James Perkins (Jira) issues at jboss.org
Thu Mar 26 16:02:30 EDT 2020 

     [ https://issues.redhat.com/browse/WFLY-9209?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

James Perkins closed WFLY-9209.
-------------------------------
    Resolution: Out of Date


I'm closing this as out of date as it seems it's fixed.

> Patch needed for WF 10.1.0.Final for CVE-2016-4970
> --------------------------------------------------
>
>                 Key: WFLY-9209
>                 URL: https://issues.redhat.com/browse/WFLY-9209
>             Project: WildFly
>          Issue Type: Bug
>    Affects Versions: 10.1.0.Final
>            Reporter: John Hovell
>            Assignee: Jason Greene
>            Priority: Major
>
> Several 3rd party security scanners we use flag Wildfly 10.1.0.Final as containing the following DoS vulnerability:
> https://nvd.nist.gov/vuln/detail/CVE-2016-4970
> I have found a Redhat errata and bugzilla but neither references Wildfly specifically nor does CVE-2016-4970 turn up on a search here in Jira.
> https://access.redhat.com/security/cve/cve-2016-4970 
> https://bugzilla.redhat.com/show_bug.cgi?id=1343616 
> I am trying to understand if Wildfly team believes  WF 10.1.0 is vulnerable and if so if it should be patched. I understand that WF 11 has an upgraded version of Netty which is not vulnerable to this CVE, but it is still in beta and security patches shouldn't need a major version upgrade.
> I am also trying to understand the official channel that the Wildfly project uses to track security errata as a search for "CVE" here only turns up ~3 other issues. Are the above Redhat links the place to look? And if so should Wildfly be marked as not affected, or why do they only refer to very very old versions of JBoss? I'd still be confused however how WF wouldn't be affected as it seems to contain wildfly/modules/system/layers/base/io/netty/main/netty-all-4.0.33.Final.jar which does not appear to be back-ported with a fix.



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list