14 Replies Latest reply on Apr 23, 2014 5:56 PM by sivasubram

    CVE fix list for WildFly?

    bosullivan00

      Pardon if this is a dumb question, but I've searched around on the site and can't find it. I'm looking for particular CVEs and whether they are fixed in WildFly - and if so, in what version. Can someone help?

        • 1. Re: CVE fix list for WildFly?
          ctomc

          Red Hat provides CVE for commercially supported version Jboss EAP.

           

          see more details about it here https://access.redhat.com/site/support/policy/updates/jboss_notes/

          and https://rhn.redhat.com/errata/rhel6-jbeap-6-errata-security.html

           

          WildFly (previously JBoss AS) is upstream project for EAP, we do fix security related problems in product and upstream at the same time (if applicable),

          but in upstream it is usually just applied to the master and fixes are as such available as part of next release what ever that is,

          product on other hand gets patches for all released versions.

           

           

          --

          tomaz

          • 2. Re: CVE fix list for WildFly?
            sivasubram

            On a similar theme I am looking for CVEs that are fixed in Community version 7.2.0 Final (not in EAP 6.1.0). Can you help

            Siva

            • 3. Re: CVE fix list for WildFly?
              ctomc

              We do not keep separate CVEs if that is what you are asking?

               

              As for 7.2.0.Final goes it is exactly the same as EAP 6.1.0.Alpha which then got bunch of testing and fixes and became EAP 6.1.0.GA

              • 4. Re: CVE fix list for WildFly?
                sivasubram

                Thank you for the response. Where can I find the CVE's that are fixed in Community version AS7. RedHat's webiste gives the CVEs that are associated for each of the EAP releases. As an example CVEs 2012-4572/5575, 2013-2067/2185/428/4213 are fixed in EAP 6.1.0. Does the 7.2.0 Final have these fixes.

                • 5. Re: CVE fix list for WildFly?
                  ctomc

                  We fix all security problems in upstream first and than they are backported to EAP.

                   

                  but that means that only latest upstream releases have all CVE fixes.

                   

                  as for 7.2.0 goes

                   

                  7.2.0.Final --> EAP 6.1.0.Alpha --> EAP 6.1.0.Beta --> EAP 6.1.0.Final --> EAP 6.1.1 --> ...

                  So any fixes in EAP6.1 post alpha are not part of 7.2.0.Final but went to "current" upstream at the time and ware part of next community release in this case WildFly 8.

                   

                  We usually don't do back ports of any fixes for community releases, we just fix stuff in latest release.

                  • 6. Re: CVE fix list for WildFly?
                    bosullivan00

                    I think I'm looking for the same thing that Siva is - just to get a good idea of what CVE fixes are in which release. Tomas was talking earlier about the JBoss EAP CVE info, which is great, but only tells me which versions of EAP the CVEs are fixed in. I need to know precisely which version of Community / WildFly they're fixed in.

                    • 7. Re: CVE fix list for WildFly?
                      whitingjr

                      Brian and Siva,

                      The list of fixed CVEs are not something currently compiled by the community. Tomaz has mentioned this a couple of times for you. This being an open source project your contributions to the project are greatly welcomed to make it better.

                      Your contribution to list the CVEs in the community version involves comparing the changes that went into EAP versus Wildfly. Tomaz pointed out a patch goes into upstream initially. Then backported to EAP. To compile a list yourself look through the CVE list for EAP. Identifying the project that was changed to include the fix. Then look at Wildfly project versions to see if the version has the same or more recent.

                      Having compiled a list for the version Wildfly that interests you then create a blog post or some similar announcement to share with the community your findings.

                       

                      Of course, if you don't have the time to contribute then reconsider using EAP. Where the information you want is provided on a plate.

                      • 8. Re: CVE fix list for WildFly?
                        bosullivan00

                        Ah, sorry - I did not get that from Tomas's answer. From my reading, I realized that WildFly would add CVEs whenever possible, but was still hoping that there would be a tracking system that allowed users to determine when they had been added.

                        • 9. Re: CVE fix list for WildFly?
                          sivasubram

                          Agree - For example I was looking at the release notes for 7.0.2 Final and could not find any information on CVEs that are in this release. Can I assume that the only CVEs that are fixed are from the Red Hat website?

                          • 10. Re: CVE fix list for WildFly?
                            ctomc

                            Siva Subramaniam wrote:

                             

                            Can I assume that the only CVEs that are fixed are from the Red Hat website?

                            Yes.

                            7.0.2 was community only release without any EAP contra part at that time (EAP6.0 dev started with 7.1.1 as base),

                            in releases like that you can go trough list of fixed jira issues, we don't hide anything, code always tells the truth

                            • 11. Re: CVE fix list for WildFly?
                              sivasubram

                              Thank you for the info. I am compiling a CVE list for the 7.2.0 Final (which has been fixed in this release) and a CVE list for WildFly. I looked at the release notes for 7.2.0 Final and issues (Jira) for WildFly and cannot find any matches. Examples - 7.2.0 Final: CVE-2012-5629/RHSA-2013:0234-1/Bugzilla#885569 - Cannot find this anywhere. WildFly 8.x.x: CVE-2013-4213/RHSA-2013:1437-1/Bugzilla#985359

                              • 12. Re: CVE fix list for WildFly?
                                ctomc

                                [AS7-6108] The LDAP Realm used for the management interfaces and Remoting connectors is incorrectly accepting empty pass…

                                was the one you are looking for, they are all linked with the EAP ones, to be fair, issues around eap 6.0.1 to eap 6.1 are bit more messy as there was migration jira --> Bugzilla

                                but everything can still be found.

                                • 13. Re: CVE fix list for WildFly?
                                  sivasubram

                                  Thank you. As I am compiling a complete CVE list for WidlFly (Post 7.2.0 Final) I need some guidance here. From the Mitre CVE website (also linked to the NVD website) I did a search for JBoss and got 106 CVEs. Now if I search  the issues list in Wildfly and I am unable to find any of the CVEs. Examples CVE-2103-6448, CVE-2012-5575 (used the descriptive text as my search criteria). There are approximately 340 issues in WildFly. CVE-2012-5575 has been fixed in EAP 6.1.0 update (Bugzilla #880443) and has this been fixed in WildFly?

                                  • 14. Re: CVE fix list for WildFly?
                                    sivasubram

                                    Brian,

                                    Are you having any luck in finding any CVEs that are being fixed in any version of WildFly?