The same issue happens to kie-drools-wb-tomcat7 which needs the same fix.

tomcat war currently available in nexus contains indeed two different netty versions.

[mbaluch@dhcp-4-225 lib]$ ls | grep netty
netty-3.2.6.Final.jar
netty-4.0.0.Alpha1.errai.r1.jar

Reassigning to manstis's team, who handle kie-drools-wb and kie-wb wars.

It was strange to me that maven doesn't detect the conflict between netty 3.2.6.Final and netty 4.0.0.Alpha1.errai.r1.
After some research I found that the cause is in errai-bus:
kie-drools-wb-webapp [master=] $ mvn dependency:tree
[INFO] --- maven-dependency-plugin:2.5:tree (default-cli) @ kie-drools-wb-webapp ---
[INFO] org.kie:kie-drools-wb-webapp:war:6.1.0-SNAPSHOT
...
[INFO] +- org.jboss.errai:errai-bus:jar:2.4.0.CR1:compile
...
[INFO] |  +- org.jboss.netty:netty:jar:3.2.6.Final:compile (version managed from 3.2.7.Final)
...
[INFO] |  +- org.jboss.errai.io.netty:netty:jar:4.0.0.Alpha1.errai.r1:compile
...

HTH.

Reassigning to porcelli, on manstis's request.

Already reported to Errai team: https://issues.jboss.org/browse/ERRAI-534

After talking to Errai team, we don't need netty in our depedencies from errai point of view as we don't use WebSockets.

Reopening.

ER4 -eap6 contains netty-4.0.0.Alpha1.errai.r1.jar
ER4 -generic contains netty-3.2.6.Final-redhat-2.jar

These versions should at the very least be standardized or even removed as suggested by comment 9.

This issue remains on ER7.

[rzhang@/home/rzhang/lab/1brms6/ER7/bpms-deployable/jboss-eap-6.1]$find . -name "*netty*"
./standalone/deployments/business-central.war/WEB-INF/lib/netty-4.0.0.Alpha1.errai.r1.jar
./modules/system/layers/bpms/org/kie/lib/main/netty-3.2.6.Final-redhat-2.jar

Please estimate if this will scope to ER2.
This issue still remain on 6.0.1 ER1.

[rzhang@/lab/1brms6/6.0.1/ER1]$find . -name "*netty*"
./jboss-bpms-brms-6.0.1.GA-redhat-1-supplementary-tools/jboss-bpms-brms-6.0.1.GA-redhat-1-supplementary-tools/kie-config-cli-6.0.2-redhat-3-dist/lib/netty-3.2.6.Final-redhat-2.jar
./jboss-bpms-brms-6.0.1.GA-redhat-1-supplementary-tools/kie-config-cli-6.0.2-redhat-3-dist/lib/netty-3.2.6.Final-redhat-2.jar
./jboss-bpms-6.0.1.GA-redhat-1-deployable-eap6.x/jboss-eap-6.1/standalone/deployments/business-central.war/WEB-INF/lib/netty-4.0.0.Alpha1.errai.r1.jar
./jboss-bpms-6.0.1.GA-redhat-1-deployable-eap6.x/jboss-eap-6.1/modules/system/layers/bpms/org/kie/lib/main/netty-3.2.6.Final-redhat-2.jar
./jboss-bpms-6.0.1.GA-redhat-1-deployable-generic/jboss-bpms-6.0.1.GA-redhat-1-deployable-generic/jboss-bpms-manager/jboss-bpms-manager/business-central.war/WEB-INF/lib/netty-3.2.6.Final-redhat-2.jar
./jboss-brms-6.0.1.GA-redhat-1-deployable-generic/jboss-brms-6.0.1.GA-redhat-1-deployable-generic/jboss-brms-manager/jboss-brms-manager/business-central.war/WEB-INF/lib/netty-3.2.6.Final-redhat-2.jar
./jboss-eap-6.1/standalone/deployments/business-central.war/WEB-INF/lib/netty-4.0.0.Alpha1.errai.r1.jar
./jboss-eap-6.1/modules/system/layers/base/org/jboss/netty
./jboss-eap-6.1/modules/system/layers/base/org/jboss/netty/main/netty-3.6.6.Final-redhat-1.jar
./jboss-eap-6.1/modules/system/layers/bpms/org/kie/lib/main/netty-3.2.6.Final-redhat-2.jar
./jboss-brms-6.0.1.GA-redhat-1-deployable-eap6.x/jboss-eap-6.1/standalone/deployments/business-central.war/WEB-INF/lib/netty-4.0.0.Alpha1.errai.r1.jar
./jboss-brms-6.0.1.GA-redhat-1-deployable-eap6.x/jboss-eap-6.1/modules/system/layers/brms/org/kie/lib/main/netty-3.2.6.Final-redhat-2.jar

Increasing the priority.

I think the problem is in not in the kie-wb-drools builds that we have, but in the builds business-central build. We exclude any extra netty versions in our assembly.xml files, could be that this is missing.

It is also possible that this was fixed by some other ticket that I have no info about.

Ryan, 

can you please clarify some requirements for me:

1) AS/EAP - doens't need *any* netty libraries bundled with the webapp's (as these containers include a netty distribution)

2) Tomcat does need a *single* netty library.

3) What about WebSphere?

4) I assume we'll have to settle for 3.2.10.Final (as this is the latest publicly available version).

Thanks,

Mike

Both BRMS and BPMS now only contain netty-3.2.6.Final-redhat-2.jar. VERIFIED with CR1.

There is no sign of Netty 3.6.9.

Comment 22 implies that this is OK, therefore I put it to VERIFIED.

@Lukáš, the zip available at [1] contains vulnerable netty bits v3.6.6.Final-redhat-1. This means this issue and bug 1092792 is not resolved. Is there more recent productized bits than [1]?

> jboss-bpms-6.0.2.GA-redhat-5-deployable-generic/jboss-bpms-engine/lib/netty-3.6.6.Final-redhat-1.jar

[1] http://download.devel.redhat.com/devel/candidates/BRMS/BPMS-6.0.2/jboss-bpms-6.0.2.GA-redhat-5-deployable-generic.zip

(In reply to Arun Babu Neelicattu from comment #30)
> @Lukáš, the zip available at [1] contains vulnerable netty bits
> v3.6.6.Final-redhat-1. This means this issue and bug 1092792 is not
> resolved. Is there more recent productized bits than [1]?


This issue was originally related to multiple versions of Netty in the distribution. There is just one now, and therefore the original issue has indeed been fixed.

The fact that the upgrade to Netty did not happen is an oversight on my part. In the future, a separate issue should be filed for this sort of thing, instead of having multiple distinct problems reported as one BZ.

> [1]
> http://download.devel.redhat.com/devel/candidates/BRMS/BPMS-6.0.2/jboss-bpms-
> 6.0.2.GA-redhat-5-deployable-generic.zip

Arun, this is it. CR2 (= 6.0.2.GA-redhat-5) is going to be released today, unless you want to stop it.

Ok. Comment https://bugzilla.redhat.com/show_bug.cgi?id=1092783#c8 says v3.2.6 is not affected by the vulnerability, if that is the version bundled then we should be fine?

The latest commit referenced in this bz gave me the impression that we were upgrading to 3.6.9 but that doesn't seem to be the case.
(6.0.x) http://github.com/droolsjbpm/droolsjbpm-build-bootstrap/commit/63221e1d9

As Arun pointed out if we still bundle v3.6.6 this issue isn't resolved then and we might still have an affected version. 
> jboss-bpms-6.0.2.GA-redhat-5-deployable-generic/jboss-bpms-engine/lib/netty-3.6.6.Final-redhat-1.jar

If we have to remove this CVE's from the list of fixed CVE's in 6.0.2, then let's do that, we do not have the time to make any changes to the 6.0.2 GA candidate at this point.

I can see the problem now:

1/ The container deployables are OK. (They carry 3.2.6.)
2/ However, the engine ZIPs are not OK. (They carry 3.6.6.)

This is a mess.

Can you please advise where the engine ZIPs can be downloaded?

I've looked everywhere I can think of and can't find them.

(Community's "engine" download doesn't include netty).

Hi, Michael
It can be downloaded at http://download.devel.redhat.com/devel/candidates/BRMS/BPMS-6.0.2/jboss-bpms-6.0.2.GA-redhat-5-deployable-generic.zip
It's indeed included in bpms-engine part as it show below:
[rzhang@/lab/1brms6/6.0.2/CR2/jboss-bpms-6.0.2.GA-redhat-5-deployable-generic]$find . -name *netty*
./jboss-bpms-6.0.2.GA-redhat-5-deployable-generic/jboss-bpms-engine/jboss-bpms-engine/lib/netty-3.6.6.Final-redhat-1.jar

The netty 3.6.6.Final-redhat-1 dependencyMgmt is inherited from EAP 6.1.1.
I think the fixes should be that overriding it in productization level. 
I have assigned it to myself. 


(In reply to manstis from comment #34)
> Can you please advise where the engine ZIPs can be downloaded?
> 
> I've looked everywhere I can think of and can't find them.
> 
> (Community's "engine" download doesn't include netty).

Only 3.6.9.Final-redhat-1 is present in DR4. 
I think this at least has been fixed since DR4.

I have checked all zip files and found 4.0.12.Final nette version everywhere. So I assume this issue is resolved -> Verified on 6.1.0.ER1