Bug 1001906 - Two version of netty exists in kie-wb-distributions-tomcat7
Two version of netty exists in kie-wb-distributions-tomcat7
Product: JBoss BPMS Platform 6
Classification: JBoss
Component: Business Central (Show other bugs)
Unspecified Unspecified
high Severity medium
: ER1
: 6.1.0
Assigned To: Ryan Zhang
Lukáš Petrovický
Depends On:
Blocks: 1092791 1092792
  Show dependency treegraph
Reported: 2013-08-28 01:34 EDT by Ryan Zhang
Modified: 2016-04-28 01:08 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ryan Zhang 2013-08-28 01:34:02 EDT
Description of problem:
There are two versions of netty in kie-wb-distributions-tomcat7.

[rzhang@/home/rzhang/tmp]$find . -name "netty*"

However the netty artifact is explicitly defined 3.2.6.Final in droolsjbpm-build-bootstap.  We should exclude the netty-4.0.0.*.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:
Comment 1 Ryan Zhang 2013-08-28 01:34:50 EDT
The same issue happens to kie-drools-wb-tomcat7 which needs the same fix.
Comment 3 Marek Baluch 2013-08-28 02:20:18 EDT
tomcat war currently available in nexus contains indeed two different netty versions.

[mbaluch@dhcp-4-225 lib]$ ls | grep netty
Comment 5 Geoffrey De Smet 2013-09-11 04:23:27 EDT
Reassigning to manstis's team, who handle kie-drools-wb and kie-wb wars.

It was strange to me that maven doesn't detect the conflict between netty 3.2.6.Final and netty 4.0.0.Alpha1.errai.r1.
After some research I found that the cause is in errai-bus:
kie-drools-wb-webapp [master=] $ mvn dependency:tree
[INFO] --- maven-dependency-plugin:2.5:tree (default-cli) @ kie-drools-wb-webapp ---
[INFO] org.kie:kie-drools-wb-webapp:war:6.1.0-SNAPSHOT
[INFO] +- org.jboss.errai:errai-bus:jar:2.4.0.CR1:compile
[INFO] |  +- org.jboss.netty:netty:jar:3.2.6.Final:compile (version managed from 3.2.7.Final)
[INFO] |  +- org.jboss.errai.io.netty:netty:jar:4.0.0.Alpha1.errai.r1:compile

Comment 6 Geoffrey De Smet 2013-09-11 04:28:15 EDT
Reassigning to porcelli, on manstis's request.
Comment 8 Alexandre Porcelli 2013-09-12 10:25:56 EDT
Already reported to Errai team: https://issues.jboss.org/browse/ERRAI-534
Comment 9 Alexandre Porcelli 2013-09-16 08:52:43 EDT
After talking to Errai team, we don't need netty in our depedencies from errai point of view as we don't use WebSockets.
Comment 10 Lukáš Petrovický 2013-10-17 02:32:45 EDT

ER4 -eap6 contains netty-4.0.0.Alpha1.errai.r1.jar
ER4 -generic contains netty-3.2.6.Final-redhat-2.jar

These versions should at the very least be standardized or even removed as suggested by comment 9.
Comment 11 Ryan Zhang 2014-01-02 00:46:21 EST
This issue remains on ER7.

[rzhang@/home/rzhang/lab/1brms6/ER7/bpms-deployable/jboss-eap-6.1]$find . -name "*netty*"
Comment 12 Ryan Zhang 2014-02-21 03:40:33 EST
Please estimate if this will scope to ER2.
This issue still remain on 6.0.1 ER1.

[rzhang@/lab/1brms6/6.0.1/ER1]$find . -name "*netty*"
Comment 13 Kris Verlaenen 2014-02-21 09:06:17 EST
Increasing the priority.
Comment 14 Toni Rikkola 2014-02-28 14:31:41 EST
I think the problem is in not in the kie-wb-drools builds that we have, but in the builds business-central build. We exclude any extra netty versions in our assembly.xml files, could be that this is missing.

It is also possible that this was fixed by some other ticket that I have no info about.
Comment 19 manstis 2014-05-08 09:05:40 EDT

can you please clarify some requirements for me:

1) AS/EAP - doens't need *any* netty libraries bundled with the webapp's (as these containers include a netty distribution)

2) Tomcat does need a *single* netty library.

3) What about WebSphere?

4) I assume we'll have to settle for 3.2.10.Final (as this is the latest publicly available version).


Comment 27 Lukáš Petrovický 2014-06-18 10:50:48 EDT
Both BRMS and BPMS now only contain netty-3.2.6.Final-redhat-2.jar. VERIFIED with CR1.
Comment 29 Lukáš Petrovický 2014-06-27 07:27:33 EDT
There is no sign of Netty 3.6.9.

Comment 22 implies that this is OK, therefore I put it to VERIFIED.
Comment 30 Arun Babu Neelicattu 2014-06-30 02:34:10 EDT
@Lukáš, the zip available at [1] contains vulnerable netty bits v3.6.6.Final-redhat-1. This means this issue and bug 1092792 is not resolved. Is there more recent productized bits than [1]?

> jboss-bpms-6.0.2.GA-redhat-5-deployable-generic/jboss-bpms-engine/lib/netty-3.6.6.Final-redhat-1.jar

[1] http://download.devel.redhat.com/devel/candidates/BRMS/BPMS-6.0.2/jboss-bpms-6.0.2.GA-redhat-5-deployable-generic.zip
Comment 31 Lukáš Petrovický 2014-06-30 07:21:25 EDT
(In reply to Arun Babu Neelicattu from comment #30)
> @Lukáš, the zip available at [1] contains vulnerable netty bits
> v3.6.6.Final-redhat-1. This means this issue and bug 1092792 is not
> resolved. Is there more recent productized bits than [1]?

This issue was originally related to multiple versions of Netty in the distribution. There is just one now, and therefore the original issue has indeed been fixed.

The fact that the upgrade to Netty did not happen is an oversight on my part. In the future, a separate issue should be filed for this sort of thing, instead of having multiple distinct problems reported as one BZ.

> [1]
> http://download.devel.redhat.com/devel/candidates/BRMS/BPMS-6.0.2/jboss-bpms-
> 6.0.2.GA-redhat-5-deployable-generic.zip

Arun, this is it. CR2 (= 6.0.2.GA-redhat-5) is going to be released today, unless you want to stop it.
Comment 32 Rajesh Rajasekaran 2014-06-30 09:09:06 EDT
Ok. Comment https://bugzilla.redhat.com/show_bug.cgi?id=1092783#c8 says v3.2.6 is not affected by the vulnerability, if that is the version bundled then we should be fine?

The latest commit referenced in this bz gave me the impression that we were upgrading to 3.6.9 but that doesn't seem to be the case.
(6.0.x) http://github.com/droolsjbpm/droolsjbpm-build-bootstrap/commit/63221e1d9

As Arun pointed out if we still bundle v3.6.6 this issue isn't resolved then and we might still have an affected version. 
> jboss-bpms-6.0.2.GA-redhat-5-deployable-generic/jboss-bpms-engine/lib/netty-3.6.6.Final-redhat-1.jar

If we have to remove this CVE's from the list of fixed CVE's in 6.0.2, then let's do that, we do not have the time to make any changes to the 6.0.2 GA candidate at this point.
Comment 33 Lukáš Petrovický 2014-06-30 09:43:21 EDT
I can see the problem now:

1/ The container deployables are OK. (They carry 3.2.6.)
2/ However, the engine ZIPs are not OK. (They carry 3.6.6.)

This is a mess.
Comment 34 manstis 2014-07-01 04:28:15 EDT
Can you please advise where the engine ZIPs can be downloaded?

I've looked everywhere I can think of and can't find them.

(Community's "engine" download doesn't include netty).
Comment 35 Ryan Zhang 2014-07-01 04:48:51 EDT
Hi, Michael
It can be downloaded at http://download.devel.redhat.com/devel/candidates/BRMS/BPMS-6.0.2/jboss-bpms-6.0.2.GA-redhat-5-deployable-generic.zip
It's indeed included in bpms-engine part as it show below:
[rzhang@/lab/1brms6/6.0.2/CR2/jboss-bpms-6.0.2.GA-redhat-5-deployable-generic]$find . -name *netty*

The netty 3.6.6.Final-redhat-1 dependencyMgmt is inherited from EAP 6.1.1.
I think the fixes should be that overriding it in productization level. 
I have assigned it to myself. 

(In reply to manstis from comment #34)
> Can you please advise where the engine ZIPs can be downloaded?
> I've looked everywhere I can think of and can't find them.
> (Community's "engine" download doesn't include netty).
Comment 36 Ryan Zhang 2014-10-28 07:12:55 EDT
Only 3.6.9.Final-redhat-1 is present in DR4. 
I think this at least has been fixed since DR4.
Comment 37 jvahala 2014-11-25 09:09:11 EST
I have checked all zip files and found 4.0.12.Final nette version everywhere. So I assume this issue is resolved -> Verified on 6.1.0.ER1

Note You need to log in before you can comment on or make changes to this bug.