3 Replies Latest reply on Aug 30, 2017 9:46 AM by Tomaz Cerar

    Porting EAP security fixes?

    Ricardo Pesqueira Newbie

      Hello all,

       

      I'm trying to understand how Jboss EAP release cycles based on the community version work in relation to security patches. More specifically, are the security fixes applied to Jboss EAP ported to any community release?

       

      Here's an example: JBoss AS 7.1.1.Final. According to this article, my understanding is that this seems to be the last version of Jboss AS, before the EAP 6 development started, going from EAP 6.0.0 to 6.4.0. Now, there are 3 vulnerabilities that have been discovered: CVE-2015-5220, CVE-2015-5178, CVE-2015-5188

       

      According to this page, these vulnerabilities have all been addressed on EAP 6.4 Update 04. This is the confusing part for me. Does this mean that JBoss AS 7.1.1.Final does not have any chance to get the patch?

       

      I do understand that this version is no longer supported and a migration should be done to Wildfly. However I still need to know if there is a way to patch the vulnerabilities while the upgrade is being planned.

       

      Lastly, is there any official page that describes the EAP/Wildfly release cycle, for easy reference to security fixes?

       

      Thanks in advance for your time.

        • 1. Re: Porting EAP security fixes?
          Tomaz Cerar Master

          JBoss AS community project was renamed to WildFly Application server after 7.x and first release with new name was WildFly 8.

           

          Last stable version of WildFly is 10.1.0.Final ,

          and upcoming 11 which is currently at Beta1 with CR1 & Final coming in following weeks.

           

          All EAP CVEs you mentioned ware addressed in WildFly as well.

          if you follow the errata links for the CVEs you linked, you will find links to Bugzilla issues that ware used to track this issue.

          for example for https://access.redhat.com/errata/RHSA-2015:1906  you find BZ https://bugzilla.redhat.com/show_bug.cgi?id=1252885  which links to upstream Jira for WildFly https://issues.jboss.org/browse/WFCORE-594

          Which tells you it was fixed in WildFly core 2.0.0.CR9 which is used in WildFly 10. But you can also find linked Jira https://issues.jboss.org/browse/WFCORE-594  to backport fix to 1.0.x branch of wildfly-core which is used in WildFly 9, and later on we released 9.0.2.Final that had that version of core in it. as you can see in release notes Release Notes - JBoss Issue Tracker

           

          In short, you can track all CVE issues back to Bugzilla / Jira for EAP and upstream projects where you can see how and where did fix land.

           

          But it does take few clicks and looking around the code to see in what binary community release did fix land.

          1 of 1 people found this helpful
          • 2. Re: Porting EAP security fixes?
            Ricardo Pesqueira Newbie

            Hello Tomaz,

             

            Thank you so much for the quick reply. That connection from advisory->bugzilla->jira is very helpful.

             

            So I guess it is safe to say that the last release of Jboss AS 7.x (and any version below that) is vulnerable to those CVE's and there is no way to fix it besides migrating to Wildfly 9.0.2 (at least)?

            • 3. Re: Porting EAP security fixes?
              Tomaz Cerar Master

              Ricardo Pesqueira wrote:

               

              So I guess it is safe to say that the last release of Jboss AS 7.x (and any version below that) is vulnerable to those CVE's and there is no way to fix it besides migrating to Wildfly 9.0.2 (at least)?

              Well that is true, at least for RHSA-2015:1906, I didn't check others CVEs you mention.

              But on other hand, mgmt. console is by default not publicly accessible and limited only to local network use and available on separate port.

              So question is how exploitable can this even be in your environment. But as I said, that is just in case of this CVE.