AnsweredAssumed Answered

Clarification regarding Jboss QID's: AS vs EAP vs Wildfly

Question asked by Ricardo Pesqueira on Aug 25, 2017
Latest reply on Aug 30, 2017 by Nicolaus Galanffy

Hello all,

I am investigating some hits from our Qualys scanner regarding the following potential QID's:
011711 - Red Hat JBoss Enterprise Application Platform Multiple Security Vulnerabilities
011712 - Red Hat JBoss Enterprise Application Platform Multiple Security Vulnerabilities (RHSA-2014:0170-1)

 

For 011711, according to the description, these vulnerabilities affect Jboss EAP < 6.4.4, however we have hits also on the community version of the last Jboss AS version (7.1.1). According Red Hat, on this page, that Jboss AS version was used as base for developing EAP 6.0.0, all the way up to the 6.4.0. So this means that EAP 6.4.4 indeed has the fix and there are no further updates to Jboss 7.1.1 or below. For 011712, it is a similar situation, as the vulnerabilities affect Jboss EAP < 6.2.1, which also came from the same base as the old Jboss AS 7.

 

The only solution to resolve the vulnerabilities is to migrate to Wildfly, but since this is not mentioned on the QID, I would like to ask, if possible:

 

- Are my assumptions correct and If yes, are there plans to update the QID Solution information to also mention the fixed version of Wildfly?
- Is there any description regarding the detection logic for these QID's when scanning Jboss AS/Wildfly?

 

Thanks in advance for your time.

Outcomes