2 Replies Latest reply on Apr 2, 2013 6:08 AM by eeshan.shrimali

Regarding security vulnerabilities in JBoss AS 7.1.1 Final

eeshan.shrimali Mar 29, 2013 5:39 AM

We are currently running JBoss AS version 4.2.3 GA and now moving up to the latest one that is version 7.1.1 Final. One of the reasons (among others) why we are looking to upgrade is because there were a couple of security vulnerabilities found in the current version that we are running that we need to resolve for PCI compliance purposes.

The CVEs corresponding to these vulnerabilities are:

CVE-2009-3555 - This seems to have been resolved in Enterprise Web Server version 1.0.1 as per this link - https://rhn.redhat.com/errata/RHSA-2010-0119.html
CVE-2008-7270 - This seems to have been resolved in Enterprise Web Server version 1.0.2 as per this link - https://rhn.redhat.com/errata/RHSA-2011-0896.html

We understand that these links correspond to the Enterprise version of the JBoss Web Server and that the web server is no longer a standalone product any longer and has been merged with the application server. Knowing that, our assumption is that the fixes that were made in version 1.0.2 (and 1.0.1) of the Enterprise Web Server must be part of the latest community version of the Application Server as well.

We couldn't find any patches for these vulnerabilities for version 4.2.3 GA and looks like upgrading the server is the only option. And since we're upgrading, we are thinking of upgrading to the latest version (7.1.1 Final) altogether.

Can anyone please confirm if the assumption mentioned above is correct since we have been unable to find any information regarding that in our searches and attempts to find out from Red Hat support (since they do not keep any information about the community versions of JBoss)? Also, is it safe to assume that going to the latest and greatest version of JBoss is a good idea since it will be secure against most of the vulnerabilities and there will be more chances of finding patches for the latest version as compared to an older one for any new vulnerabilities that crop up?

Please let me know if any other information is required that would be helpful in answering this question. Thank you!

NOTE: For various reasons, we are at this moment not planning to go for the JBoss EAP 6. The Community AS satisfies all our needs and the EAP will be overkill at this point.

1. Re: Regarding security vulnerabilities in JBoss AS 7.1.1 Final

jaikiran Mar 29, 2013 8:28 AM (in response to eeshan.shrimali)

Welcome to the forums Eeshan.

Eeshan Shrimali wrote:

Also, is it safe to assume that going to the latest and greatest version of JBoss is a good idea since it will be secure against most of the vulnerabilities and there will be more chances of finding patches for the latest version as compared to an older one for any new vulnerabilities that crop up?

Yes, that's a good idea.

Eeshan Shrimali wrote:

NOTE: For various reasons, we are at this moment not planning to go for the JBoss EAP 6. The Community AS satisfies all our needs and the EAP will be overkill at this point.
7.1.1 was released a year back. There's been a new recent release. Maybe that'll interest you? Take a look at these:

https://community.jboss.org/blogs/mark.little/2013/03/07/eap-binaries-available-for-all-developers
http://www.jboss.org/jbossas/faq
http://www.jboss.org/jbossas/downloads
1 of 1 people found this helpful
Actions
2. Re: Regarding security vulnerabilities in JBoss AS 7.1.1 Final

eeshan.shrimali Apr 2, 2013 6:08 AM (in response to jaikiran)
Thanks for your inputs, Jaikiran.

I have gone through the links that you provided. They were quite helpful (along with related posts on the forum) and went a long way in clarifying the differences between the EAP, EAP Alpha and the Community AS versions. It is an interesting direction that JBoss is taking now by releasing the Alpha version of the EAP in the community. So if I'm understanding correctly, the future roadmap seems to be:

The final version of the community AS that has been released is 7.1.1 and looks like the next version is going to be 8.0.0 that will be released in community as a binary.
The alpha version of EAP 6 was released into community which is based on AS 7.2.0 Final. Although, it is an alpha version, it is said to be equal to or better in quality as compared to the final community version. Any future EAP versions (minor or major, except alphas), however, will be available only through paid or zero-dollar developer subscriptions.

Frankly, for monetary reasons, we are happy with the self-support option and therefore, want to continue with the community version in production. That being said, would you say that EAP 6.1 Alpha will be a better choice for this purpose as compared to 7.1.1 Final? One of my major concerns with this approach (apart from the mind-block against using an "alpha" version in production) is whether it will be easier to find community support and discussions for the 7.1.1 Final version as compared to EAP 6.1 Alpha? I don't know how popular is the EAP Alpha version as compared to the community final version. The alpha discussion board seems pretty bare bones (https://community.jboss.org/en/jbosseap).

Also, could you please provide your thoughts on my other assumption: "We understand that these links correspond to the Enterprise version of the JBoss Web Server and that the web server is no longer a standalone product any longer and has been merged with the application server. Knowing that, our assumption is that the fixes that were made in version 1.0.2 (and 1.0.1) of the Enterprise Web Server must be part of the latest community version of the Application Server as well."

Thanks once again.
Actions

Go to original post