CVE-2021-3503
31 views
Skip to first unread message
Loca4368
Jan 24, 2023, 7:35:54 PM1/24/23
to WildFly
Hi WildFly Team,
We would like to double check/confirm on the CVE-2021-3503.
We are currently on 26.1.2.Final WildFly with JDK17 (and in the process of upgrading to 27.0.1.Final).
There is a CVE, CVE-2021-3503, reported against WildFly related jars, including
licenses-plugin-2.0.0.Final.jar, transformer-5.2.10.Final.jar ( (shaded: org.wildfly.extras.batavia:transformer-api:1.0.12.Final)), transformer-5.2.10.Final.jar, and
wildfly-galleon-plugins-5.2.10.Final.jar.
None of these jars seemed to be shipped within WildFly modules. I also checked this reference, https://access.redhat.com/security/cve/cve-2021-3503.
Are you able to confirm that 26.1.2.Final WildFly and 27.0.1.Final are not vulnerable to CVE-2021-3503?
Thanks in advance!
Regards,
Ming
Flavia Rainone
Feb 17, 2023, 6:08:25 PM2/17/23
to WildFly
Hello Ming!
I did some research, and the Jira that is linked to the CVE is this one:
https://issues.redhat.com/browse/WFLY-11933 Error when accessing metrics with RBAC enabled
https://issues.redhat.com/browse/WFLY-11933 Error when accessing metrics with RBAC enabled
As you can see, it is fixed in version 24.0.0.Final. Any version after that one contains the fix, including 26.12.Final and 27.0.1.Final.
Best regards,
Flavia
Reply all
Reply to author
Forward
0 new messages