Vulns brought by the recommended Wildfly version 26.1.3-Final for EJBCA 8.3.2

[fco-code-org]

Hello,

Using NexusIQ on EJBCA 8.3.2 relying on Wildfly 26.1.3-Final, I got this:

• CVE-2023-51775 (8.6) on jose 0.7.11
• CVE-2021-42392 (9.8) on wildfly-dist 26.1.3
• CVE-2022-1471 (9.8) on wildfly-dist 26.1.3
• CVE-2022-23221 (9.8) on wildfly-dist 26.1.3
• CVE-2022-45047 (9.8) on wildfly-dist 26.1.3/sshd-common : 2.7.0
• CVE-2023-25194 (8.8) on wildfly-dist 26.1.3
• CVE-2023-4759 (8.8) on wildfly-dist 26.1.3
• CVE-2022-1471 (9.8) on snakeyaml : 1.29
• CVE-2023-25194 (8.8) on kafka-clients : 3.1.0

How to get rid of these vulns ? Our customers won't accept this situation !

Best Regards.

[fco-code-org]

Any answer ?

[primetomas]

In general you will have to do vulnerability exposure management and look if you are affected by these CVEs. For WildFly the wildfly project is a good place, or JBoss EAP to get a supported version. You can harden WildFly quite some by removing unused components and such, even upgrading some libs. In the documentation there are some descriptions on what modules are used by EJBCA.

The EJBCA team does vulnerability exposure analysis on CVEs. There is a plan to start publishing this analysis on the doc site, but it’s not there yet as far as I can see.