WildFly - Application deployment issues related to trying to resolve security vulnerabilities
Introduction
So, at this moment in time I'm currently working with AKS, my team is currently utilising TwistLock & we've noticed a critical vulnerability with the base docker image that we're using. I was just wondering if anyone knew of a clean way in which we could get this to behave as expected?
My Primitive Solution
So, to get pass the critical vulnerability, I've implemented the following snippet into our Dockerfile, I've mostly done this as a test, I had very little hope that it would actually work. Surprisingly it works more than what I had imagined, but without further ado here's the code:
## Remove dependencies for twistlock.
RUN rm -r /opt/jboss/wildfly/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/
RUN rm -r /opt/jboss/wildfly/modules/system/layers/base/org/apache/commons/beanutils/
RUN rm -r /opt/jboss/wildfly/modules/system/layers/base/org/picketlink/
RUN rm -r /opt/jboss/wildfly/bin/client
I decided to manually try to remove the dependencies associated with WildFly itself, but without surprise, this resulted in the applications failing to successfully deploy.
Additional
Even if I specify the dependencies in the pom file like so, it still doesn't work:
<!-- ... Other parts of the pom ... -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.10</version><!--$NO-MVN-MAN-VER$-->
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>2.9.10</version><!--$NO-MVN-MAN-VER$-->
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-annotations</artifactId>
<version>2.9.10</version><!--$NO-MVN-MAN-VER$-->
</dependency>
</dependencies>
<!-- ... Other parts of the pom ... -->
I've also tried including a jboss-deployment-structure.xml file, with the following code:
<jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.1">
<deployment>
<exclusions>
<module name="com.fasterxml.jackson.core.jackson-core" />
<module name="com.fasterxml.jackson.core.jackson-databind" />
<module name="com.fasterxml.jackson.core.jackson-annotations" />
</exclusions>
</deployment>
</jboss-deployment-structure>
The Output
It's not surprise that I get the following error in the logs, but I was wondering if it's at all possible to get past this problem:
Conclusion
Obviously my far from suitable solution doesn't work & unfortunately JBoss/WildFly configuration/administration is far from being one of my specialist areas.
Does anyone have any possible solutions?
Solution
Thankfully, after an array of attempts to tinker with this problem, I believe that I have found the most suitable solution, thankfully it would appear that I was on the right lines, however I needed to just add a little extra. It was as simple as updating my jboss-deployment-structure.xml file to utilise the following markup:
<jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.2">
<deployment>
<exclusions>
<module name="com.fasterxml.jackson.core.jackson-core" />
<module name="com.fasterxml.jackson.core.jackson-databind" />
<module name="com.fasterxml.jackson.core.jackson-annotations" />
<module name="com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider" />
<module name="org.jboss.resteasy.resteasy-jackson2-provider" />
<module name="org.jboss.resteasy.resteasy-jackson-provider" />
</exclusions>
</deployment>
</jboss-deployment-structure>
I've successfully been able to deploy the application that I'm working on, I've now only one more vulnerability which goes beyond the scope of the application layer.
- NullPointerException in Java JDK code while performing parallelStream.forEach(..)
- Locating code that is filling PermGen with dead Groovy code
- Cannot find test class in project - "The input type of the launch configuration does not exist"
- Passing the values to the fraction class in java
- How to use different authentication methods for different paths using Spring Security
- how to fetch and validate csv header in open csv?
- 4-Sum algorithm failing with duplicate values in Java
- Error getting month while using Calendar object
- java Calendar Timezones strange stuff
- java.util.Date class with different approach for same date gives different output
- Finding out the type of invoked method in JDT
- How to get the size of a file in MB (Megabytes)?
- Exception in thread "main" java.lang.IllegalStateException: Attempted to load Config resource 'class path resource [application.yml]'
- Why does Google Calendar.Events.Watch say my request is not HTTPS
- Java - Class.forName, how to get a Field from Class
- Use of verify() method with and without times(1) parameter
- JDBC connection without database definition
- Running my testNG project from a jar using Maven
- Do subclasses inherit interfaces?
- Spring Security - how can I ask invoke access control methods directly?
- most accurate time type in java?
- How to get the currently selected application from Windows in Java
- validate the credit card expiry date using java?
- Finding the square root of a number by using binary search
- log4j : current time in milliseconds
- Why Joda DateTime gives different result than Java Date?
- Tomcat - maxThreads vs. maxConnections
- Android notification importance cannot be changed
- How to enable all endpoints in actuator (Spring Boot 2.0.0 RC1)
- Map rainbow colors to RGB