Summary of EAP 7 Resolved Vulnerabilities

Red Hat Enterprise Application Platform is the enterprise product, WildFly is the community project

Red Hat's Enterprise Application Platform (EAP) is our enterprise application server product that is derived from the upstream WildFly application server community project. There is a significant difference between an upstream open source community project and the downstream enterprise product. Each release of EAP is derived from a community release of WildFly and then put through extensive quality engineering tests, defense in depth hardening, and a regular cadence of security patches and updates to meet the needs of enterprise users. EAP 7 was initially derived from WildFly 10+, but has since undergone several security updates and patches.

Resolved Vulnerabilities in EAP

This table is a snapshot in time showing the number and type of vulnerabilities resolved in EAP AFTER each community WildFly release. As you can see, the number and type of vulnerabilities grows over time. The WildFly community only publishes the latest release, so older releases are never patched. Users of WildFly must chase the next major release to try to stay current, but this is becoming more difficult because WildFly since version 12 creates a major release every three months. Each successive major release can include new, changed, deleted, or deprecated features, introducing more uncertainty for each upgrade.

Change to WildFly release cadence: WildFly will be moving away from time-boxed major feature releases for 2022, and will instead produce feature-boxed majors when key feature sets like EE 10 are ready. See WildFly Release Plans for 2022.

WildFly ReleaseDateMinimum Number of Outstanding CVEs
CriticalImportantModerateLowTotal
26.1.1.Final2022-05-1914115
26.1.0.Final2022-04-1414115
26.0.1.Final2022-01-21317424
26.0.0.Final2021-12-16317424
25.0.1.Final2021-11-04323632
25.0.0.Final2021-10-05323632
24.0.1.Final2021-07-27528841
24.0.0.Final2021-06-17528841
23.0.2.Final2021-04-29529842
23.0.1.Final2021-04-14529842
23.0.0.Final2021-03-11534948
22.0.1.Final2021-02-11534948
22.0.0.Final2021-01-13639954
21.0.2.Final2020-12-16639954
21.0.1.Final2020-11-19939957
21.0.0.Final2020-10-139421061
20.0.1.Final2020-07-0717531080
20.0.0.Final2020-06-0821641196
19.1.0.Final2020-05-0422641298
19.0.0.Final2020-03-1822641298
18.0.1.Final2019-11-14347512121
18.0.0.Final2019-10-03347513122
17.0.1.Final2019-07-03368014130
17.0.0.Final2019-06-10368314133
16.0.0.Final2019-02-27398814141
15.0.1.Final2019-01-05399114144
15.0.0.Final2018-11-30399114144
14.0.1.Final2018-09-05399214145
14.0.0.Final2018-08-30399214145
13.0.0.Final2018-05-30419714152
12.0.0.Final2018-02-284610314163
11.0.0.Final2017-10-235211616184
10.1.0.Final2016-08-205511916190
10.0.0.Final2016-01-3015511916191
9.0.1.Final2015-07-2315511916191
9.0.0.Final2015-07-0215511916191
8.2.1.Final2015-07-2315511916191
8.2.0.Final2014-11-2015511916191
8.1.0.Final2014-05-3015511916191
8.0.0.Final2014-02-1115511916191

Software Ages Like Milk, Not Wine

Click on each version number above to see details on the vulnerabilities that were resolved in EAP 7 after the release dates of WildFly. Red Hat does not track Common Vulnerabilities and Exposures (CVE) in the community project WildFly. Red Hat only tracks CVEs within our supported enterprise products. These reports were generated using security metrics and tools available on the Red Hat Security Data page. WildFly releases prior to version 10 likely have more vulnerabilities than those indicated because they significantly pre-dated the first release of EAP 7.

Release Notes containing bug fixes for EAP

Additionally, Red Hat EAP documentation provides detailed release notes for the initial release of EAP 7 and each successive cumulative patch update.

How the reports were generated

The following files were downloaded from the Red Hat Security Data page:

WildFly 10.0.0.Final was released on 2016-01-29, so all CVEs resolved against EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20160130- --xmlsummary EAP7-resolved-issues-post-wildfly-10.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-10.0.0.Final-release-date.txt

WildFly 10.1.0.Final was released on 2016-08-19, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20160820- --xmlsummary EAP7-resolved-issues-post-wildfly-10.1.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-10.1.0.Final-release-date.txt

WildFly 11.0.0.Final was released on 2017-10-23, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20171023- --xmlsummary EAP7-resolved-issues-post-wildfly-11.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-11.0.0.Final-release-date.txt

WildFly 12.0.0.Final was released on 2018-02-28, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20180228- --xmlsummary EAP7-resolved-issues-post-wildfly-12.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-12.0.0.Final-release-date.txt

WildFly 13.0.0.Final was released on 2018-05-30, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20180530- --xmlsummary EAP7-resolved-issues-post-wildfly-13.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-13.0.0.Final-release-date.txt

WildFly 14.0.0.Final was released on 2018-08-30, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20180830- --xmlsummary EAP7-resolved-issues-post-wildfly-14.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-14.0.0.Final-release-date.txt

WildFly 14.0.1.Final was released on 2018-09-05, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20180905- --xmlsummary EAP7-resolved-issues-post-wildfly-14.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-14.0.1.Final-release-date.txt

WildFly 15.0.0.Final was released on 2018-11-30, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20181130- --xmlsummary EAP7-resolved-issues-post-wildfly-15.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-15.0.0.Final-release-date.txt

WildFly 15.0.1.Final was released on 2019-01-05, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20190105- --xmlsummary EAP7-resolved-issues-post-wildfly-15.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-15.0.1.Final-release-date.txt

WildFly 16.0.0.Final was released on 2019-02-27, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20190227- --xmlsummary EAP7-resolved-issues-post-wildfly-16.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-16.0.0.Final-release-date.txt

WildFly 17.0.0.Final was released on 2019-06-10, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20190610- --xmlsummary EAP7-resolved-issues-post-wildfly-17.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-17.0.0.Final-release-date.txt

WildFly 17.0.1.Final was released on 2019-07-03, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20190703- --xmlsummary EAP7-resolved-issues-post-wildfly-17.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-17.0.1.Final-release-date.txt

WildFly 18.0.0.Final was released on 2019-10-03, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20191003- --xmlsummary EAP7-resolved-issues-post-wildfly-18.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-18.0.0.Final-release-date.txt

WildFly 18.0.1.Final was released on 2019-11-14, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20191114- --xmlsummary EAP7-resolved-issues-post-wildfly-18.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-18.0.1.Final-release-date.txt

WildFly 19.0.0.Final was released on 2020-03-18, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20200318- --xmlsummary EAP7-resolved-issues-post-wildfly-19.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-19.0.0.Final-release-date.txt

WildFly 19.1.0.Final was released on 2020-05-04, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20200504- --xmlsummary EAP7-resolved-issues-post-wildfly-19.1.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-19.1.0.Final-release-date.txt

WildFly 20.0.0.Final was released on 2020-06-08, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20200608- --xmlsummary EAP7-resolved-issues-post-wildfly-20.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-20.0.0.Final-release-date.txt

WildFly 20.0.1.Final was released on 2020-07-07, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20200707- --xmlsummary EAP7-resolved-issues-post-wildfly-20.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-20.0.1.Final-release-date.txt

WildFly 21.0.0.Final was released on 2020-10-13, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20201013- --xmlsummary EAP7-resolved-issues-post-wildfly-21.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-21.0.0.Final-release-date.txt

WildFly 21.0.1.Final was released on 2020-11-19, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20201119- --xmlsummary EAP7-resolved-issues-post-wildfly-21.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-21.0.1.Final-release-date.txt

WildFly 21.0.2.Final was released on 2020-12-16, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20201216- --xmlsummary EAP7-resolved-issues-post-wildfly-21.0.2.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-21.0.2.Final-release-date.txt

WildFly 22.0.0.Final was released on 2021-01-13, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20210113- --xmlsummary EAP7-resolved-issues-post-wildfly-22.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-22.0.0.Final-release-date.txt

WildFly 22.0.1.Final was released on 2021-02-11, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20210211- --xmlsummary EAP7-resolved-issues-post-wildfly-22.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-22.0.1.Final-release-date.txt

WildFly 23.0.0.Final was released on 2021-03-11, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20210311- --xmlsummary EAP7-resolved-issues-post-wildfly-23.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-23.0.0.Final-release-date.txt

WildFly 23.0.1.Final was released on 2021-04-14, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20210414- --xmlsummary EAP7-resolved-issues-post-wildfly-23.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-23.0.1.Final-release-date.txt

WildFly 23.0.2.Final was released on 2021-04-29, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20210429- --xmlsummary EAP7-resolved-issues-post-wildfly-23.0.2.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-23.0.2.Final-release-date.txt

WildFly 24.0.0.Final was released on 2021-06-17, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20210617- --xmlsummary EAP7-resolved-issues-post-wildfly-24.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-24.0.0.Final-release-date.txt

WildFly 24.0.1.Final was released on 2021-07-27, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20210727- --xmlsummary EAP7-resolved-issues-post-wildfly-24.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-24.0.1.Final-release-date.txt

WildFly 25.0.0.Final was released on 2021-10-05, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20211005- --xmlsummary EAP7-resolved-issues-post-wildfly-25.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-25.0.0.Final-release-date.txt

WildFly 25.0.1.Final was released on 2021-11-04, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20211104- --xmlsummary EAP7-resolved-issues-post-wildfly-25.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-25.0.1.Final-release-date.txt

WildFly 26.0.0.Final was released on 2021-12-16, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20211216- --xmlsummary EAP7-resolved-issues-post-wildfly-26.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-26.0.0.Final-release-date.txt

WildFly 26.0.1.Final was released on 2022-01-21, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20220121- --xmlsummary EAP7-resolved-issues-post-wildfly-26.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-26.0.1.Final-release-date.txt

WildFly 26.1.0.Final was released on 2022-04-14, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20220414- --xmlsummary EAP7-resolved-issues-post-wildfly-26.1.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-26.1.0.Final-release-date.txt

WildFly 26.1.1.Final was released on 2022-05-19, so all CVEs resolved in EAP 7 after that date were reported using the command:

perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20220519- --xmlsummary EAP7-resolved-issues-post-wildfly-26.1.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-26.1.1.Final-release-date.txt

The XML reports were formatted to HTML using the html-report.xsl stylesheet.

Contributing

All of the scripts, html, and xsl templates that generate this page are in the cve-rhsa-tools github project. All pull requests welcome!

Maintained by: rlucente at redhat dot com
Last updated: