Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WFCORE-6578] CVE-2023-3171 WildFly heap exhaustion via deserialization #5760

Merged
merged 1 commit into from
Nov 10, 2023
Merged

[WFCORE-6578] CVE-2023-3171 WildFly heap exhaustion via deserialization #5760

merged 1 commit into from
Nov 10, 2023

Conversation

gaol
Copy link
Contributor

@gaol gaol commented Nov 9, 2023
edited by yersan
Loading

@github-actions github-actions bot added the deps-ok Dependencies have been checked, and there are no significant changes label Nov 9, 2023
@wildfly-ci
Copy link

Core -> WildFly Preview Integration Build 13060 outcome was FAILURE using a merge of effd5cc
Summary: Tests failed: 1 (1 new), passed: 2781, ignored: 47 Build time: 02:04:04

Failed tests

TestSuite: org.eclipse.microprofile.fault.tolerance.tck.RetryTest.testRetryWithDelay: java.lang.AssertionError: The max number of execution should be greater than 4 but it was 2 expected [true] but found [false]
	at deployment.ftRetry.war//org.testng.Assert.fail(Assert.java:99)
	at deployment.ftRetry.war//org.testng.Assert.failNotEquals(Assert.java:1037)
	at deployment.ftRetry.war//org.testng.Assert.assertTrue(Assert.java:45)
	at deployment.ftRetry.war//org.eclipse.microprofile.fault.tolerance.tck.RetryTest.testRetryWithDelay(RetryTest.java:132)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at deployment.ftRetry.war//org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:133)
	at deployment.ftRetry.war//org.testng.internal.MethodInvocationHelper$1.runTestMethod(MethodInvocationHelper.java:239)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at jdk.internal.reflect.GeneratedMethodAccessor259.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at jdk.internal.reflect.GeneratedMethodAccessor257.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at jdk.internal.reflect.GeneratedMethodAccessor258.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at deployment.ftRetry.war//org.testng.internal.MethodInvocationHelper.invokeHookable(MethodInvocationHelper.java:253)
	at deployment.ftRetry.war//org.testng.internal.TestInvoker.invokeMethod(TestInvoker.java:594)
	at deployment.ftRetry.war//org.testng.internal.TestInvoker.invokeTestMethod(TestInvoker.java:173)
	at deployment.ftRetry.war//org.testng.internal.MethodRunner.runInSequence(MethodRunner.java:46)
	at deployment.ftRetry.war//org.testng.internal.TestInvoker$MethodInvocationAgent.invoke(TestInvoker.java:824)
	at deployment.ftRetry.war//org.testng.internal.TestInvoker.invokeTestMethods(TestInvoker.java:146)
	at deployment.ftRetry.war//org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:146)
	at deployment.ftRetry.war//org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:128)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
	at deployment.ftRetry.war//org.testng.TestRunner.privateRun(TestRunner.java:794)
	at deployment.ftRetry.war//org.testng.TestRunner.run(TestRunner.java:596)
	at deployment.ftRetry.war//org.testng.SuiteRunner.runTest(SuiteRunner.java:377)
	at deployment.ftRetry.war//org.testng.SuiteRunner.runSequentially(SuiteRunner.java:371)
	at deployment.ftRetry.war//org.testng.SuiteRunner.privateRun(SuiteRunner.java:332)
	at deployment.ftRetry.war//org.testng.SuiteRunner.run(SuiteRunner.java:276)
	at deployment.ftRetry.war//org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:53)
	at deployment.ftRetry.war//org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:96)
	at deployment.ftRetry.war//org.testng.TestNG.runSuitesSequentially(TestNG.java:1212)
	at deployment.ftRetry.war//org.testng.TestNG.runSuitesLocally(TestNG.java:1134)
	at deployment.ftRetry.war//org.testng.TestNG.runSuites(TestNG.java:1063)
	at deployment.ftRetry.war//org.testng.TestNG.run(TestNG.java:1031)
	at [email protected]//jakarta.servlet.http.HttpServlet.service(HttpServlet.java:527)
	at [email protected]//jakarta.servlet.http.HttpServlet.service(HttpServlet.java:614)
	at [email protected]//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
	at [email protected]//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
	at [email protected]//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
	at [email protected]//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
	at [email protected]//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.lambda$handleRequest$1(ElytronRunAsHandler.java:68)
	at [email protected]//org.wildfly.security.auth.server.FlexibleIdentityAssociation.runAsFunctionEx(FlexibleIdentityAssociation.java:103)

@wildfly-ci
Copy link

Core -> Full Integration Build 13210 outcome was FAILURE using a merge of effd5cc
Summary: Tests failed: 1 (1 new), passed: 7648, ignored: 124 Build time: 04:25:10

Failed tests

org.jboss.as.test.integration.jpa.webtxem.WebJPATestCase(basic-integration-default-web).testReadWrite: java.io.IOException: java.util.concurrent.ExecutionException: java.io.IOException: HTTP Status 500 Response: <html><head><title>ERROR</title><style>
body {
    font-family: "Lucida Grande", "Lucida Sans Unicode", "Trebuchet MS", Helvetica, Arial, Verdana, sans-serif;
    margin: 5px;
}

.header {
    background-image: linear-gradient(bottom, rgb(153,151,153) 8%, rgb(199,199,199) 54%);
    background-image: -o-linear-gradient(bottom, rgb(153,151,153) 8%, rgb(199,199,199) 54%);
    background-image: -moz-linear-gradient(bottom, rgb(153,151,153) 8%, rgb(199,199,199) 54%);
    background-image: -webkit-linear-gradient(bottom, rgb(153,151,153) 8%, rgb(199,199,199) 54%);
    background-image: -ms-linear-gradient(bottom, rgb(153,151,153) 8%, rgb(199,199,199) 54%);
    
    background-image: -webkit-gradient(
        linear,
        left bottom,
        left top,
        color-stop(0.08, rgb(153,151,153)),
        color-stop(0.54, rgb(199,199,199))
    );
    color: black;
    padding: 2px;
    font-weight: normal;
    border: solid 1px;
    font-size: 170%;
    text-align: left;
    vertical-align: middle; 
    height: 32px; 
    margin-bottom: 10px;
}
.error-div {
    display: inline-block;
    width: 32px;
    height: 32px;
    background: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAABmJLR0QAAAAAAAD5Q7t/AAAACXBIWXMAAABIAAAASABGyWs+AAAACXZwQWcAAAAgAAAAIACH+pydAAAGGElEQVRYw8WXW2wcVxnHf+fM7NXrdXbdtZ3ipGqCEzvQKmlFoUggwkvvGBoaqVVV5Y0nkCoQPPCAhMQbQlzUh/IWHoh6QUVKZVLxUCGogKZRW9uJkyg0iVzZ2dhre9c7u7M7c87hYWc2M7t2bBASI306O/85+v7/7zLn24H/8yV2u/EcFNvwVNK2X0DKw1qpYaX1gCWlY0m5arRe8JQ6I2DmaVj/nwk4CxO2Zf1aw9dKo6N67+eOZHN7x0gViiSHBmlXa7hrazjLt1i+eKmxUi5bwpg/e8a8PA3X/msBr0MyJ+WvgFOffehY8v7HH5OW78HqGjgOtNrge2AnIJWAgQEYLqBsm3/NvKM/mZ1rYczpRa2/9x3w/iMBM1BCiHfuGRmZevClF9NJ5cP1m9B0+/aa3t/ZDNw3TtuSfPy737trK6sXtTGPPwOruxLwNhSEEHMHpqZGDz93wubKFdio3ZXUGNOHs2cIDh/g6pt/9G8uXLnlGPP5k1Dt5bN60m6lhXj34OTkxKET37SZm4d6oz/KgFRH7yOrBozbwlTWGf7ql6RZrWTcytrxaTj9Ro9OGb3JS/mz0nDxgYnnvmWbuUsdJ6FTY2JmImShqZA83N90UbOXOXDiG4nCcPFoTsqfbluCP8DenJQLx1/+7pBcXILaZl9qo2svFmalb48xkM9hxkf5+29+u9HSenIayn0ZyEr5i0NHpnKy7aGrtW6UehsLozRBRlRQEh3BwzLpWh3h++yfPJRLSvnzvhK8DkPamOl7n3nCUjcXtyXuK0X0WViaAFc9QtSNJe594uu2MubZGcjHBGTgqeFiQQml0K12nDgSpd4iyi4uRMci6Q8xJSWq7SGEZCg/qD14LCYgIcTzoxMHc6qygYk40aETKTFSdh2aANOWhbEsjJSYCK6C/V0LcH+9xvCB/TlbiBdCAXbQMJPZ/fvQjUbXEULAa6/1deyuh0dwNU+e7DSzEOhmi8xn9iI+ujgVE6ChlBwpYcqVjuIgA3IXBMYYtNbd30IIpJQI0ZEa+gPQnk9ieA8GSrESaGNyiWIBrVQntUHqdrq01iiluo0WilBK4fs+WutOr4S9YAyJoRzamMGYAClEve046ETyTr13EKCU6kZ+N4GNCxfwKpVOryQSuOUVhBCbsRIIuN1cWRkaSCfRrdaOTncijgltNPDn5xHZLIn7x3GNh4CVmADgcv3a9YmBY0cxm06nAQH31KlOao3BL5fxbtzAOE73hAt7JXb6RU7PGO44WK5Do1ZHw6WYAN+YM+X5S8dLXziWizVNvY5aWcFfWuq8Idsctb1Yr8DwmRwrUr1yfVMbcyYmwIWZ2mbdai9+gvfBAsaAbrUwrrtllLuJPibIGGQ2hUlIHLdlA+diTXgSqkKIt5b/OevL+8bwqlWU63anW3jyhaa4c9T2Hs0hrsL5EOCJQ/sov7/gS8Mb07AZEwDgav2D5aVy3eSziEL+Dllk0PSRcmcMqx6BUeGykINsksrttboPP4w2aVfACVhGiFevvft+I/XwJCad3DF6tc2MiD4zmRSZhyZY/OusI4V4JTqKYwIA6lr/2Gm6s5/+7UMv/egDmEyqL7VbRR/LViR6sikGvniYpffm2m6r/VFd65/0vqZ9R/tbsMeG+WKpMDL+lWMJ58Jl/NVqvOG26PAoDmCXhhg4epDl9+a9zUp1uQkPbvWfcMvZchbuEXAuk0kf2X/84YxpuDQv3kA5zW1fw9CswSyZyXFEJsmnf/m46bntuTY8+SxUtuLadri9CokxeEUK8WJhtJgaeeSIxG3RurWGv+Gg3RbaU5CwkOkU1lCWxFgBmbS4ff6qX7297rXh9Gn4/llobMcjtsFywACQ+zZMTsOP8vBIOpNS+bFiJj2cxx7MYg+k8ZwmrWqD9lqNjVvrTc9tWRtw/k345dtwFagDTmTdUUA2EDAYXffB2JPw6FH4ch7GUpCzIemD50J9A1Y+hH/8Cc4vdTq9Tud9D9dNOt+MajclyNL53xZmIhusmcBSQJLOd4UJnHqACzTppDy0kHizl/yuPRB5nggIM0A6IE4GuA34EQFtoBUQuwGm7kbwb+eaEEXmuV5dAAAAJXRFWHRjcmVhdGUtZGF0ZQAyMDA5LTExLTEwVDE5OjM4OjI0LTA3OjAwdDKp4gAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAxMC0wMi0yMFQyMzoyNjoyNC0wNzowMC7DUNYAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMTAtMDEtMTFUMDg6NTc6MzUtMDc6MDCruapPAAAAMnRFWHRMaWNlbnNlAGh0dHA6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvUHVibGljX2RvbWFpbj/96s8AAAAldEVYdG1vZGlmeS1kYXRlADIwMDktMTEtMTBUMTk6Mzg6MjQtMDc6MDArg9/WAAAAGXRFWHRTb3VyY2UAVGFuZ28gSWNvbiBMaWJyYXJ5VM/tggAAADp0RVh0U291cmNlX1VSTABodHRwOi8vdGFuZ28uZnJlZWRlc2t0b3Aub3JnL1RhbmdvX0ljb25fTGlicmFyebzIrdYAAAAASUVORK5CYII=') left center no-repeat;
}
.error-text-div {
    display: inline-block;
    vertical-align: top;
    height: 32px;
}
.label {
    font-weight:bold;
    display: inline-block;
}
.value {
    display: inline-block;
    margin-left: 5px;
}
pre {
    font-size: 110%;

@yersan yersan mentioned this pull request Nov 9, 2023
Merged
@yersan yersan changed the title [WFCORE-6578] WildFly heap exhaustion via deserialization [WFCORE-6578] CVE-2023-3171 WildFly heap exhaustion via deserialization Nov 9, 2023
@yersan
Copy link
Collaborator

yersan commented Nov 9, 2023

Full integration - Linux is being tracked under WFLY-17349
Preview Integration Linux - JDK 17 — Error should be unrelated but there are no enough statistics yet.

@yersan yersan added the ready-for-merge This PR is ready to be merged and fulfills all requirements label Nov 10, 2023
@yersan yersan merged commit af76351 into wildfly:main Nov 10, 2023
@yersan
Copy link
Collaborator

yersan commented Nov 10, 2023

Thanks @gaol

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yersan yersan yersan approved these changes

Assignees
No one assigned
Labels
deps-ok Dependencies have been checked, and there are no significant changes ready-for-merge This PR is ready to be merged and fulfills all requirements
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gaol @wildfly-ci @yersan