[CVE] Fix CVE-2021-20250 (jboss-remoting) #2555

LightGuard · 2025-02-06T15:00:37Z

Issue in the remoting code that we're putting in from JBoss. EAP 7.4.20 is using wildfly, so aligning with that version.

LightGuard · 2025-02-06T19:05:03Z

Glad this one went green.

baldimir · 2025-02-07T14:09:40Z

jenkins run cdb

baldimir · 2025-02-07T14:09:44Z

jenkins run fdb

LightGuard · 2025-02-07T16:26:00Z

These look like the repo died, or didn't allow connections. Do we try it again?

baldimir · 2025-02-10T10:09:02Z

jenkins run cdb

baldimir · 2025-02-10T10:09:14Z

jenkins run fdb

baldimir · 2025-02-10T10:09:39Z

@LightGuard yes, I see a lot of similar problems with the Node proxy in the jobs. I restarted.

baldimir · 2025-02-10T11:30:56Z

@LightGuard There is some problem in jbpm repository. Please see the compile downstream fail here:

[2025-02-10T10:34:36.781Z] [ERROR] [ERROR] Some problems were encountered while processing the POMs:
[2025-02-10T10:34:36.781Z] [ERROR] 'dependencies.dependency.version' for org.jboss:jboss-remote-naming:jar must be a valid version but is '${version.org.jboss.remote-naming}'. @ org.kie:kie-parent:7.67.2-SNAPSHOT, /home/jenkins/.m2/repository/org/kie/kie-parent/7.67.2-SNAPSHOT/kie-parent-7.67.2-SNAPSHOT.pom, line 4647, column 18
[2025-02-10T10:34:36.781Z] [ERROR] 'dependencies.dependency.version' for org.jboss:jboss-remote-naming:jar must be a valid version but is '${version.org.jboss.remote-naming}'. @ org.kie:kie-parent:7.67.2-SNAPSHOT, /home/jenkins/.m2/repository/org/kie/kie-parent/7.67.2-SNAPSHOT/kie-parent-7.67.2-SNAPSHOT.pom, line 4647, column 18
[2025-02-10T10:34:36.781Z]  @ 
[2025-02-10T10:34:36.781Z] [ERROR] The build could not read 2 projects -> [Help 1]
[2025-02-10T10:34:36.781Z] org.apache.maven.project.ProjectBuildingException: Some problems were encountered while processing the POMs:
[2025-02-10T10:34:36.781Z] [ERROR] 'dependencies.dependency.version' for org.jboss:jboss-remote-naming:jar must be a valid version but is '${version.org.jboss.remote-naming}'. @ org.kie:kie-parent:7.67.2-SNAPSHOT, /home/jenkins/.m2/repository/org/kie/kie-parent/7.67.2-SNAPSHOT/kie-parent-7.67.2-SNAPSHOT.pom, line 4647, column 18
[2025-02-10T10:34:36.781Z] [ERROR] 'dependencies.dependency.version' for org.jboss:jboss-remote-naming:jar must be a valid version but is '${version.org.jboss.remote-naming}'. @ org.kie:kie-parent:7.67.2-SNAPSHOT, /home/jenkins/.m2/repository/org/kie/kie-parent/7.67.2-SNAPSHOT/kie-parent-7.67.2-SNAPSHOT.pom, line 4647, column 18
[2025-02-10T10:34:36.781Z] 
[2025-02-10T10:34:36.781Z]     at org.apache.maven.project.DefaultProjectBuilder.build (DefaultProjectBuilder.java:397)
[2025-02-10T10:34:36.781Z]     at org.apache.maven.graph.DefaultGraphBuilder.collectProjects (DefaultGraphBuilder.java:414)
[2025-02-10T10:34:36.781Z]     at org.apache.maven.graph.DefaultGraphBuilder.getProjectsForMavenReactor (DefaultGraphBuilder.java:405)
[2025-02-10T10:34:36.781Z]     at org.apache.maven.graph.DefaultGraphBuilder.build (DefaultGraphBuilder.java:82)
[2025-02-10T10:34:36.781Z]     at org.apache.maven.DefaultMaven.buildGraph (DefaultMaven.java:507)
[2025-02-10T10:34:36.781Z]     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:219)
[2025-02-10T10:34:36.781Z]     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
[2025-02-10T10:34:36.781Z]     at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
[2025-02-10T10:34:36.781Z]     at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
[2025-02-10T10:34:36.781Z]     at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
[2025-02-10T10:34:36.781Z]     at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
[2025-02-10T10:34:36.781Z]     at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
[2025-02-10T10:34:36.781Z]     at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
[2025-02-10T10:34:36.781Z]     at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
[2025-02-10T10:34:36.781Z]     at java.lang.reflect.Method.invoke (Method.java:566)
[2025-02-10T10:34:36.781Z]     at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
[2025-02-10T10:34:36.781Z]     at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
[2025-02-10T10:34:36.781Z]     at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
[2025-02-10T10:34:36.781Z]     at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
[2025-02-10T10:34:36.781Z] [ERROR]   
[2025-02-10T10:34:36.781Z] [ERROR]   The project org.jbpm:jbpm-container-test-suite:7.67.2-SNAPSHOT (/home/jenkins/workspace/KIE/7.67.x-blue/compile/droolsjbpm-build-bootstrap-7.67.x-blue.compile/bc/kiegroup_jbpm/jbpm-container-test/jbpm-in-container-test/jbpm-container-test-suite/pom.xml) has 1 error
[2025-02-10T10:34:36.781Z] [ERROR]     'dependencies.dependency.version' for org.jboss:jboss-remote-naming:jar must be a valid version but is '${version.org.jboss.remote-naming}'. @ org.kie:kie-parent:7.67.2-SNAPSHOT, /home/jenkins/.m2/repository/org/kie/kie-parent/7.67.2-SNAPSHOT/kie-parent-7.67.2-SNAPSHOT.pom, line 4647, column 18
[2025-02-10T10:34:36.781Z] [ERROR]   
[2025-02-10T10:34:36.781Z] [ERROR]   The project org.jbpm:jbpm-remote-ejb-test-suite:7.67.2-SNAPSHOT (/home/jenkins/workspace/KIE/7.67.x-blue/compile/droolsjbpm-build-bootstrap-7.67.x-blue.compile/bc/kiegroup_jbpm/jbpm-container-test/jbpm-remote-ejb-test/jbpm-remote-ejb-test-suite/pom.xml) has 1 error
[2025-02-10T10:34:36.781Z] [ERROR]     'dependencies.dependency.version' for org.jboss:jboss-remote-naming:jar must be a valid version but is '${version.org.jboss.remote-naming}'. @ org.kie:kie-parent:7.67.2-SNAPSHOT, /home/jenkins/.m2/repository/org/kie/kie-parent/7.67.2-SNAPSHOT/kie-parent-7.67.2-SNAPSHOT.pom, line 4647, column 18
[2025-02-10T10:34:36.781Z] [ERROR] 
[2025-02-10T10:34:36.781Z] [ERROR] Re-run Maven using the -X switch to enable full debug logging.
[2025-02-10T10:34:36.782Z] [ERROR] 
[2025-02-10T10:34:36.782Z] [ERROR] For more information about the errors and possible solutions, please read the following articles:
[2025-02-10T10:34:36.782Z] [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/ProjectBuildingException

LightGuard · 2025-02-11T05:08:57Z

jenkins run fdb

baldimir · 2025-02-11T09:47:26Z

jenkins run cdb

LightGuard · 2025-02-11T18:57:28Z

Well... Build chain worked, and the Jenkins pull request worked, but not the others.

LightGuard · 2025-02-11T18:57:49Z

jenkins run cdb

baldimir · 2025-02-12T11:35:28Z

There are these test failures in the full downstream build. All with the same error:

Updating remoting to wildfly version used in EAP 7.4.20 Signed-off-by: Jason Porter <[email protected]>

baldimir · 2025-02-13T09:19:51Z

jenkins run cdb

baldimir · 2025-02-13T09:19:56Z

jenkins run fdb

baldimir · 2025-02-18T12:04:20Z

Here are the last test failures:

Signed-off-by: Jason Porter <[email protected]>

LightGuard · 2025-02-19T18:58:32Z

jenkins run fdb

LightGuard · 2025-02-20T19:55:00Z

jenkins run cdb

LightGuard · 2025-02-21T20:35:26Z

jenkins run cdb

LightGuard · 2025-02-21T22:10:19Z

jenkins run fdb

baldimir · 2025-02-24T14:24:25Z

Failures in full downstream build are unrelated.

LightGuard requested review from baldimir and jstastny-cz February 6, 2025 16:33

LightGuard mentioned this pull request Feb 11, 2025

[CVE] CVE-2021-20250 kiegroup/jbpm#2453

Closed

Fixing CVE-2021-20250

6985e02

Updating remoting to wildfly version used in EAP 7.4.20 Signed-off-by: Jason Porter <[email protected]>

LightGuard force-pushed the CVE-2021-20250 branch from 67eaaab to 6985e02 Compare February 12, 2025 18:06

Going back to jboss-remoting

892f357

Signed-off-by: Jason Porter <[email protected]>

LightGuard changed the title ~~[CVE] Fix CVE-2021-20250~~ [CVE] Fix CVE-2021-20250 (jboss-remoting) Feb 19, 2025

baldimir merged commit b40bbca into kiegroup:7.67.x-blue Feb 24, 2025
3 of 5 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CVE] Fix CVE-2021-20250 (jboss-remoting) #2555

[CVE] Fix CVE-2021-20250 (jboss-remoting) #2555

LightGuard commented Feb 6, 2025

LightGuard commented Feb 6, 2025

baldimir commented Feb 7, 2025

baldimir commented Feb 7, 2025

LightGuard commented Feb 7, 2025

baldimir commented Feb 10, 2025

baldimir commented Feb 10, 2025

baldimir commented Feb 10, 2025

baldimir commented Feb 10, 2025 •

edited

Loading

LightGuard commented Feb 11, 2025

baldimir commented Feb 11, 2025

LightGuard commented Feb 11, 2025

LightGuard commented Feb 11, 2025

baldimir commented Feb 12, 2025

baldimir commented Feb 13, 2025

baldimir commented Feb 13, 2025

baldimir commented Feb 18, 2025

LightGuard commented Feb 19, 2025

LightGuard commented Feb 20, 2025

LightGuard commented Feb 21, 2025

LightGuard commented Feb 21, 2025

baldimir commented Feb 24, 2025 •

edited

Loading

[CVE] Fix CVE-2021-20250 (jboss-remoting) #2555

[CVE] Fix CVE-2021-20250 (jboss-remoting) #2555

Conversation

LightGuard commented Feb 6, 2025

LightGuard commented Feb 6, 2025

baldimir commented Feb 7, 2025

baldimir commented Feb 7, 2025

LightGuard commented Feb 7, 2025

baldimir commented Feb 10, 2025

baldimir commented Feb 10, 2025

baldimir commented Feb 10, 2025

baldimir commented Feb 10, 2025 • edited Loading

LightGuard commented Feb 11, 2025

baldimir commented Feb 11, 2025

LightGuard commented Feb 11, 2025

LightGuard commented Feb 11, 2025

baldimir commented Feb 12, 2025

baldimir commented Feb 13, 2025

baldimir commented Feb 13, 2025

baldimir commented Feb 18, 2025

LightGuard commented Feb 19, 2025

LightGuard commented Feb 20, 2025

LightGuard commented Feb 21, 2025

LightGuard commented Feb 21, 2025

baldimir commented Feb 24, 2025 • edited Loading

baldimir commented Feb 10, 2025 •

edited

Loading

baldimir commented Feb 24, 2025 •

edited

Loading