Impact of openSSL security issues / vulnerabilites for wildfly

[Lonzak]

In the light of recent security vulnerabilities of openSSL I would like to know the impact on wildfly's openSSL usage.

Disclaimer: I apologize if there is a clear answer to the question but I'm not too deep into the subject - hence this issue. The question whether these vulnerabilities can be exploited through wildfly is a totally different question but not part of this issue.

From what I read the wildfly-openssl-java artifact does not contain any native code. Okay so far. However the wildfly-openssl artifact contains binaries for Mac, Linux and Windows.

If you are running on x86_64 Mac, Windows or Linux then you can use the out of the box support provided by the wildfly-openssl artifact. (called libwfssl ...)

But on the other side I read that it is necessary to register the provider. (org.wildfly.openssl.path system property). However

If this property is not present the standard system library search path with be used instead

So my question is:

If wildfly is running in an environment which contains (vulnerable) openSSL libraries (e.g. CentOS7 which contains openSSL 1.0.2)

• the openssl.path system property has not been set (but maybe openSSL is in the standard system search path)
• there is no explicit switch of the SSLContext from JSSE to openSSL

For that case: Is there any chance that openSSL is used in wildfly (in any form)?

[jstourac]

Default SSLContext is JSSE. If you didn't switch it to OpenSSL it isn't used.

You can check whether you use OpenSSL or not in the server log during the boot (note that this is logged only once so you won't see it during reload). If you see similar line like this in server.log during boot, you're using OpenSSL:

15:37:59,814 INFO [org.wildfly.openssl.SSL] (MSC service thread 1-7) WFOPENSSL0002 OpenSSL Version OpenSSL 1.0.2k-fips 23 Mar 2017

[Lonzak]

Thank you very much for the confirmation!