[7.67.x-blue] upgrade wildfly elytron library

[ChinchuAjith]

The current version is affected by CVE-2023-6236. So upgrading to 2.2.5.Final version of wildfly-elytron and infinispan to 4.0.28.Final.

[baldimir]

jenkins run fdb

[baldimir]

jenkins run cdb

[baldimir]

Looks like the changes don't align well with the EAP version we use. See the logs, it breaks build of product wars.

[baldimir]

[2025-01-31T10:46:16.466Z] [INFO] ------------------------------------------------------------------------
[2025-01-31T10:46:16.466Z] [INFO] Reactor Summary for Business Central - Distributions 7.67.2-SNAPSHOT:
[2025-01-31T10:46:16.466Z] [INFO]
[2025-01-31T10:46:16.466Z] [INFO] Business Central - Distributions ................... SUCCESS [ 2.225 s]
[2025-01-31T10:46:16.466Z] [INFO] Business Central Parent ............................ SUCCESS [ 0.159 s]
[2025-01-31T10:46:16.466Z] [INFO] Business Central - Webapp Common ................... SUCCESS [ 2.455 s]
[2025-01-31T10:46:16.466Z] [INFO] Business Central Deployment Validation ............. SUCCESS [ 9.874 s]
[2025-01-31T10:46:16.466Z] [INFO] KIE Theme .......................................... SUCCESS [ 0.367 s]
[2025-01-31T10:46:16.466Z] [INFO] KIE Theme - Community .............................. SUCCESS [ 2.396 s]
[2025-01-31T10:46:16.467Z] [INFO] KIE Theme - Product ................................ SUCCESS [ 5.559 s]
[2025-01-31T10:46:16.467Z] [INFO] Business Central - Home Page - Community ........... SUCCESS [ 14.493 s]
[2025-01-31T10:46:16.467Z] [INFO] Business Central - Monitoring Webapp ............... FAILURE [ 43.188 s]
[2025-01-31T10:46:16.467Z] [INFO] Business Central - Webapp .......................... FAILURE [ 44.579 s]
[2025-01-31T10:46:16.467Z] [INFO] Business Central - Distribution Wars Parent ........ SUCCESS [ 2.359 s]
[2025-01-31T10:46:16.467Z] [INFO] Business Central - Monitoring Distribution Wars .... SKIPPED
[2025-01-31T10:46:16.467Z] [INFO] Business Central - Distribution Wars ............... SKIPPED
[2025-01-31T10:46:16.467Z] [INFO] jBPM server distribution ........................... SKIPPED
[2025-01-31T10:46:16.467Z] [INFO] business central add-ons distribution .............. SUCCESS [ 17.434 s]
[2025-01-31T10:46:16.467Z] [INFO] Business Central Tests :: Parent ................... SKIPPED
[2025-01-31T10:46:16.467Z] [INFO] Business Central Tests :: REST API ................. SKIPPED
[2025-01-31T10:46:16.467Z] [INFO] KIE (Drools) Workbench Tests :: GUI ................ SKIPPED
[2025-01-31T10:46:16.467Z] [INFO] ------------------------------------------------------------------------
[2025-01-31T10:46:16.467Z] [INFO] BUILD FAILURE
[2025-01-31T10:46:16.467Z] [INFO] ------------------------------------------------------------------------
[2025-01-31T10:46:16.467Z] [INFO] Total time: 01:02 min (Wall Clock)
[2025-01-31T10:46:16.467Z] [INFO] Finished at: 2025-01-31T05:46:15-05:00
[2025-01-31T10:46:16.467Z] [INFO] ------------------------------------------------------------------------
[2025-01-31T10:46:16.467Z] [ERROR] Failed to execute goal org.wildfly.plugins:wildfly-jar-maven-plugin:6.1.2.Final:package (default) on project business-monitoring-webapp: Packaging wildfly failed: InvocationTargetException: Failed to get the list of the operation properties: "WFLYCTL0030: No resource definition is registered for address [
[2025-01-31T10:46:16.467Z] [ERROR] ("subsystem" => "elytron"),
[2025-01-31T10:46:16.467Z] [ERROR] ("filesystem-realm" => "KieRealm")
[2025-01-31T10:46:16.467Z] [ERROR] ]"
[2025-01-31T10:46:16.467Z] [ERROR] -> [Help 1]
[2025-01-31T10:46:16.467Z] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.wildfly.plugins:wildfly-jar-maven-plugin:6.1.2.Final:package (default) on project business-monitoring-webapp: Packaging wildfly failed
[2025-01-31T10:46:16.467Z] at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
[2025-01-31T10:46:16.467Z] at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
[2025-01-31T10:46:16.467Z] at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
[2025-01-31T10:46:16.467Z] at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
[2025-01-31T10:46:16.467Z] at org.apache.maven.lifecycle.internal.builder.multithreaded.MultiThreadedBuilder$1.call (MultiThreadedBuilder.java:190)
[2025-01-31T10:46:16.467Z] at org.apache.maven.lifecycle.internal.builder.multithreaded.MultiThreadedBuilder$1.call (MultiThreadedBuilder.java:186)
[2025-01-31T10:46:16.467Z] at java.util.concurrent.FutureTask.run (FutureTask.java:264)
[2025-01-31T10:46:16.467Z] at java.util.concurrent.Executors$RunnableAdapter.call (Executors.java:515)
[2025-01-31T10:46:16.467Z] at java.util.concurrent.FutureTask.run (FutureTask.java:264)
[2025-01-31T10:46:16.467Z] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
[2025-01-31T10:46:16.467Z] at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
[2025-01-31T10:46:16.467Z] at java.lang.Thread.run (Thread.java:829)
[2025-01-31T10:46:16.467Z] Caused by: org.apache.maven.plugin.MojoExecutionException: Packaging wildfly failed
[2025-01-31T10:46:16.467Z] at org.wildfly.plugins.bootablejar.maven.goals.AbstractBuildBootableJarMojo.execute (AbstractBuildBootableJarMojo.java:540)
[2025-01-31T10:46:16.467Z] at org.wildfly.plugins.bootablejar.maven.goals.BuildBootableJarMojo.execute (BuildBootableJarMojo.java:55)
[2025-01-31T10:46:16.467Z] at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
[2025-01-31T10:46:16.467Z] at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
[2025-01-31T10:46:16.467Z] at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
[2025-01-31T10:46:16.467Z] at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
[2025-01-31T10:46:16.467Z] at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
[2025-01-31T10:46:16.467Z] at org.apache.maven.lifecycle.internal.builder.multithreaded.MultiThreadedBuilder$1.call (MultiThreadedBuilder.java:190)
[2025-01-31T10:46:16.467Z] at org.apache.maven.lifecycle.internal.builder.multithreaded.MultiThreadedBuilder$1.call (MultiThreadedBuilder.java:186)
[2025-01-31T10:46:16.467Z] at java.util.concurrent.FutureTask.run (FutureTask.java:264)
[2025-01-31T10:46:16.467Z] at java.util.concurrent.Executors$RunnableAdapter.call (Executors.java:515)
[2025-01-31T10:46:16.467Z] at java.util.concurrent.FutureTask.run (FutureTask.java:264)

[baldimir]

Maybe Elytron 2.x needs some more configuration. Not sure.

[baldimir]

Do you have any idea @akumar074, please?

[akumar074]

@ChinchuAjith The Bump of wildfly elytron library from 1.15.x to 2.x could be risky. I would suggest to upgrade to 1.15.24 which is the latest available version in 1.15.x series and also contains the fix for CVE-2023-6236. wdyt @baldimir ?

[ChinchuAjith]

@ChinchuAjith The Bump of wildfly elytron library from 1.15.x to 2.x could be risky. I would suggest to upgrade to 1.15.24 which is the latest available version in 1.15.x series and also contains the fix for CVE-2023-6236. wdyt @baldimir ?

1.15.24 also have the same CVE(https://mvnrepository.com/artifact/org.wildfly.security/wildfly-elytron/1.15.24.Final). All series of 1.15.x have the same CVE. And it is fixed in 1.16.0 and 1.16.1. But that have other vulnerabilities. So the next Fixed version is 2.2.5. I have gone through the above PR link. Will connect with the team and work accordingly. Thanks..!!

[yesamer]

jenkins run cdb

[akumar074]

@ChinchuAjith The 1.15.24 has the dependency CVE. I guess it's fine then.
The latest FDB run looks okay to me. kie-wb-distributions, I see a IT test failure, but I think it's unrelated.

[akumar074]

Jenkins run CDB

[akumar074]

Jenkins run fdb

[baldimir]

jenkins run cdb

[baldimir]

I am afraid Abhishek is right and we need to update to 1.15.23. It would be a big risk in a maintenance release to not align with what is in EAP as elytron is one of the core components of EAP application server. I will investigate a bit more. See EAP dependencies here: https://maven.repository.redhat.com/ga/org/jboss/bom/eap-runtime-artifacts/7.4.20.GA/eap-runtime-artifacts-7.4.20.GA.pom.

[ChinchuAjith]

Downgraded wildfly dependency to 1.15.24 to make it compatible with EAP version.

[ChinchuAjith]

jenkins run fdb

[baldimir]

jenkins run cdb

[baldimir]

jenkins run fdb

[akumar074]

Jenkins run fdb

[akumar074]

Jenkins run cdb

[yesamer]

Jenkins run cdb

[yesamer]

Jenkins run fdb

[akumar074]

@ChinchuAjith current CDB failure seems related to the change. Take a look here https://gist.github.com/akumar074/ba99f40b760dfa49f8e0cc7a2206e045

[baldimir]

@ChinchuAjith Please check Abhishek's comment. Maybe we need to upgrade also Wildfly to 23.0.3. Or at least try.

[baldimir]

It looks like we have the same failure in another PR here: https://jenkins-csb-business-automation-eng.dno.corp.redhat.com/job/KIE/job/7.67.x-blue/job/compile/job/droolsjbpm-build-bootstrap-7.67.x-blue.compile/41/consoleText. So it may not be related to the change.

[baldimir]

It would be still good to find out why it is failing though.