Red Hat's Enterprise Application Platform (EAP) is our enterprise application server product that is derived from the upstream WildFly application server community project. There is a significant difference between an upstream open source community project and the downstream enterprise product. Each release of EAP is derived from a community release of WildFly and then put through extensive quality engineering tests, defense in depth hardening, and a regular cadence of security patches and updates to meet the needs of enterprise users. EAP 7 was initially derived from WildFly 10+, but has since undergone several security updates and patches.
This table is a snapshot in time showing the number and type of vulnerabilities resolved in EAP AFTER each community WildFly release. As you can see, the number and type of vulnerabilities grows over time. The WildFly community only publishes the latest release, so older releases are never patched. Users of WildFly must chase the next major release to try to stay current, but this is becoming more difficult because WildFly since version 12 creates a major release every three months. Each successive major release can include new, changed, deleted, or deprecated features, introducing more uncertainty for each upgrade.
Change to WildFly release cadence: WildFly will be moving away from time-boxed major feature releases for 2022, and will instead produce feature-boxed majors when key feature sets like EE 10 are ready. See WildFly Release Plans for 2022.
WildFly Release | Date | Minimum Number of Outstanding CVEs | ||||
---|---|---|---|---|---|---|
Critical | Important | Moderate | Low | Total | ||
26.1.1.Final | 2022-05-19 | 14 | 1 | 15 | ||
26.1.0.Final | 2022-04-14 | 14 | 1 | 15 | ||
26.0.1.Final | 2022-01-21 | 3 | 17 | 4 | 24 | |
26.0.0.Final | 2021-12-16 | 3 | 17 | 4 | 24 | |
25.0.1.Final | 2021-11-04 | 3 | 23 | 6 | 32 | |
25.0.0.Final | 2021-10-05 | 3 | 23 | 6 | 32 | |
24.0.1.Final | 2021-07-27 | 5 | 28 | 8 | 41 | |
24.0.0.Final | 2021-06-17 | 5 | 28 | 8 | 41 | |
23.0.2.Final | 2021-04-29 | 5 | 29 | 8 | 42 | |
23.0.1.Final | 2021-04-14 | 5 | 29 | 8 | 42 | |
23.0.0.Final | 2021-03-11 | 5 | 34 | 9 | 48 | |
22.0.1.Final | 2021-02-11 | 5 | 34 | 9 | 48 | |
22.0.0.Final | 2021-01-13 | 6 | 39 | 9 | 54 | |
21.0.2.Final | 2020-12-16 | 6 | 39 | 9 | 54 | |
21.0.1.Final | 2020-11-19 | 9 | 39 | 9 | 57 | |
21.0.0.Final | 2020-10-13 | 9 | 42 | 10 | 61 | |
20.0.1.Final | 2020-07-07 | 17 | 53 | 10 | 80 | |
20.0.0.Final | 2020-06-08 | 21 | 64 | 11 | 96 | |
19.1.0.Final | 2020-05-04 | 22 | 64 | 12 | 98 | |
19.0.0.Final | 2020-03-18 | 22 | 64 | 12 | 98 | |
18.0.1.Final | 2019-11-14 | 34 | 75 | 12 | 121 | |
18.0.0.Final | 2019-10-03 | 34 | 75 | 13 | 122 | |
17.0.1.Final | 2019-07-03 | 36 | 80 | 14 | 130 | |
17.0.0.Final | 2019-06-10 | 36 | 83 | 14 | 133 | |
16.0.0.Final | 2019-02-27 | 39 | 88 | 14 | 141 | |
15.0.1.Final | 2019-01-05 | 39 | 91 | 14 | 144 | |
15.0.0.Final | 2018-11-30 | 39 | 91 | 14 | 144 | |
14.0.1.Final | 2018-09-05 | 39 | 92 | 14 | 145 | |
14.0.0.Final | 2018-08-30 | 39 | 92 | 14 | 145 | |
13.0.0.Final | 2018-05-30 | 41 | 97 | 14 | 152 | |
12.0.0.Final | 2018-02-28 | 46 | 103 | 14 | 163 | |
11.0.0.Final | 2017-10-23 | 52 | 116 | 16 | 184 | |
10.1.0.Final | 2016-08-20 | 55 | 119 | 16 | 190 | |
10.0.0.Final | 2016-01-30 | 1 | 55 | 119 | 16 | 191 |
9.0.1.Final | 2015-07-23 | 1 | 55 | 119 | 16 | 191 |
9.0.0.Final | 2015-07-02 | 1 | 55 | 119 | 16 | 191 |
8.2.1.Final | 2015-07-23 | 1 | 55 | 119 | 16 | 191 |
8.2.0.Final | 2014-11-20 | 1 | 55 | 119 | 16 | 191 |
8.1.0.Final | 2014-05-30 | 1 | 55 | 119 | 16 | 191 |
8.0.0.Final | 2014-02-11 | 1 | 55 | 119 | 16 | 191 |
Click on each version number above to see details on the vulnerabilities that were resolved in EAP 7 after the release dates of WildFly. Red Hat does not track Common Vulnerabilities and Exposures (CVE) in the community project WildFly. Red Hat only tracks CVEs within our supported enterprise products. These reports were generated using security metrics and tools available on the Red Hat Security Data page. WildFly releases prior to version 10 likely have more vulnerabilities than those indicated because they significantly pre-dated the first release of EAP 7.
Additionally, Red Hat EAP documentation provides detailed release notes for the initial release of EAP 7 and each successive cumulative patch update.
WildFly 10.0.0.Final was released on 2016-01-29, so all CVEs resolved against EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20160130- --xmlsummary EAP7-resolved-issues-post-wildfly-10.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-10.0.0.Final-release-date.txt
WildFly 10.1.0.Final was released on 2016-08-19, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20160820- --xmlsummary EAP7-resolved-issues-post-wildfly-10.1.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-10.1.0.Final-release-date.txt
WildFly 11.0.0.Final was released on 2017-10-23, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20171023- --xmlsummary EAP7-resolved-issues-post-wildfly-11.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-11.0.0.Final-release-date.txt
WildFly 12.0.0.Final was released on 2018-02-28, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20180228- --xmlsummary EAP7-resolved-issues-post-wildfly-12.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-12.0.0.Final-release-date.txt
WildFly 13.0.0.Final was released on 2018-05-30, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20180530- --xmlsummary EAP7-resolved-issues-post-wildfly-13.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-13.0.0.Final-release-date.txt
WildFly 14.0.0.Final was released on 2018-08-30, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20180830- --xmlsummary EAP7-resolved-issues-post-wildfly-14.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-14.0.0.Final-release-date.txt
WildFly 14.0.1.Final was released on 2018-09-05, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20180905- --xmlsummary EAP7-resolved-issues-post-wildfly-14.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-14.0.1.Final-release-date.txt
WildFly 15.0.0.Final was released on 2018-11-30, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20181130- --xmlsummary EAP7-resolved-issues-post-wildfly-15.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-15.0.0.Final-release-date.txt
WildFly 15.0.1.Final was released on 2019-01-05, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20190105- --xmlsummary EAP7-resolved-issues-post-wildfly-15.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-15.0.1.Final-release-date.txt
WildFly 16.0.0.Final was released on 2019-02-27, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20190227- --xmlsummary EAP7-resolved-issues-post-wildfly-16.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-16.0.0.Final-release-date.txt
WildFly 17.0.0.Final was released on 2019-06-10, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20190610- --xmlsummary EAP7-resolved-issues-post-wildfly-17.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-17.0.0.Final-release-date.txt
WildFly 17.0.1.Final was released on 2019-07-03, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20190703- --xmlsummary EAP7-resolved-issues-post-wildfly-17.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-17.0.1.Final-release-date.txt
WildFly 18.0.0.Final was released on 2019-10-03, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20191003- --xmlsummary EAP7-resolved-issues-post-wildfly-18.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-18.0.0.Final-release-date.txt
WildFly 18.0.1.Final was released on 2019-11-14, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20191114- --xmlsummary EAP7-resolved-issues-post-wildfly-18.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-18.0.1.Final-release-date.txt
WildFly 19.0.0.Final was released on 2020-03-18, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20200318- --xmlsummary EAP7-resolved-issues-post-wildfly-19.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-19.0.0.Final-release-date.txt
WildFly 19.1.0.Final was released on 2020-05-04, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20200504- --xmlsummary EAP7-resolved-issues-post-wildfly-19.1.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-19.1.0.Final-release-date.txt
WildFly 20.0.0.Final was released on 2020-06-08, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20200608- --xmlsummary EAP7-resolved-issues-post-wildfly-20.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-20.0.0.Final-release-date.txt
WildFly 20.0.1.Final was released on 2020-07-07, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20200707- --xmlsummary EAP7-resolved-issues-post-wildfly-20.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-20.0.1.Final-release-date.txt
WildFly 21.0.0.Final was released on 2020-10-13, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20201013- --xmlsummary EAP7-resolved-issues-post-wildfly-21.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-21.0.0.Final-release-date.txt
WildFly 21.0.1.Final was released on 2020-11-19, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20201119- --xmlsummary EAP7-resolved-issues-post-wildfly-21.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-21.0.1.Final-release-date.txt
WildFly 21.0.2.Final was released on 2020-12-16, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20201216- --xmlsummary EAP7-resolved-issues-post-wildfly-21.0.2.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-21.0.2.Final-release-date.txt
WildFly 22.0.0.Final was released on 2021-01-13, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20210113- --xmlsummary EAP7-resolved-issues-post-wildfly-22.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-22.0.0.Final-release-date.txt
WildFly 22.0.1.Final was released on 2021-02-11, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20210211- --xmlsummary EAP7-resolved-issues-post-wildfly-22.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-22.0.1.Final-release-date.txt
WildFly 23.0.0.Final was released on 2021-03-11, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20210311- --xmlsummary EAP7-resolved-issues-post-wildfly-23.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-23.0.0.Final-release-date.txt
WildFly 23.0.1.Final was released on 2021-04-14, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20210414- --xmlsummary EAP7-resolved-issues-post-wildfly-23.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-23.0.1.Final-release-date.txt
WildFly 23.0.2.Final was released on 2021-04-29, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20210429- --xmlsummary EAP7-resolved-issues-post-wildfly-23.0.2.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-23.0.2.Final-release-date.txt
WildFly 24.0.0.Final was released on 2021-06-17, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20210617- --xmlsummary EAP7-resolved-issues-post-wildfly-24.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-24.0.0.Final-release-date.txt
WildFly 24.0.1.Final was released on 2021-07-27, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20210727- --xmlsummary EAP7-resolved-issues-post-wildfly-24.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-24.0.1.Final-release-date.txt
WildFly 25.0.0.Final was released on 2021-10-05, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20211005- --xmlsummary EAP7-resolved-issues-post-wildfly-25.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-25.0.0.Final-release-date.txt
WildFly 25.0.1.Final was released on 2021-11-04, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20211104- --xmlsummary EAP7-resolved-issues-post-wildfly-25.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-25.0.1.Final-release-date.txt
WildFly 26.0.0.Final was released on 2021-12-16, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20211216- --xmlsummary EAP7-resolved-issues-post-wildfly-26.0.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-26.0.0.Final-release-date.txt
WildFly 26.0.1.Final was released on 2022-01-21, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20220121- --xmlsummary EAP7-resolved-issues-post-wildfly-26.0.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-26.0.1.Final-release-date.txt
WildFly 26.1.0.Final was released on 2022-04-14, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20220414- --xmlsummary EAP7-resolved-issues-post-wildfly-26.1.0.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-26.1.0.Final-release-date.txt
WildFly 26.1.1.Final was released on 2022-05-19, so all CVEs resolved in EAP 7 after that date were reported using the command:
perl daysofrisk.pl --cpe jboss_enterprise_application_platform:7 --dates 20220519- --xmlsummary EAP7-resolved-issues-post-wildfly-26.1.1.Final-release-date.xml > EAP7-resolved-issues-post-wildfly-26.1.1.Final-release-date.txt
The XML reports were formatted to HTML using the html-report.xsl stylesheet.
All of the scripts, html, and xsl templates that generate this page are in the cve-rhsa-tools github project. All pull requests welcome!
Maintained by: rlucente at redhat dot com
Last updated: