Is it possible to change Elytron version in Wildfly 26.1.3

[Elia Zaides]

Hi,

I am currently working on Wildfly 26.1.3, and it uses by default Elytron 1.19.Final. 

Since this version has at least one major vulnerability that is fixed only for other versions, is it possible to upgrade Elytron version without moving to a different Wildfly version? 

If yes, what is the process of doing so.

[John Burgess]

Did you ever get an answer?  I'd like the ignore-unavailable-realms attribute of the distributed-realm which was added in elytron 2.2.0.Final

[Darran Lofthouse]

The process that we go through in WildFly for a component upgrade like WildFly Elytron is first we would process the component upgrade into WildFly Core by submitting a pull request to the relevant maintenance branch of WildFly Core and allow that to run through CI giving us a set of test results.

WildFly Core would subsequently be tagged and a pull request submitted against WildFly which again would trigger CI runs.

In some cases you may find that you could get away with manually updating the components in your installation by replacing the jars in the module and updating the module.xml files accordingly but in that case you would be skipping any of the testing we would normally go through to process a component upgrade into WildFly.  However without the CI runs it will not be clear if the component upgrade could cause further issues as we develop with a known set of components rather than independent updates.