vulnerability fix in ejbca7

[bhr83]

Hello All,
We are using ejbca7(wildfly26) and noticed following vulnerabilities.

        {
          "VulnerabilityID": "CVE-2023-6236",
          "PkgName": "org.wildfly.security:wildfly-elytron-http-oidc",
          "PkgPath": "var/lib/wildfly/bin/client/jboss-client.jar",
          "PkgIdentifier": {
            "PURL": "pkg:maven/org.wildfly.security/wildfly-elytron-http-oidc@1.20.3.Final",
            "UID": "72da7fa95b419982"
          },
        {
          "VulnerabilityID": "CVE-2024-1233",
          "PkgName": "org.wildfly.security:wildfly-elytron-realm-token",
          "PkgPath": "opt/ejbca/dist/ejbca-ejb-cli/lib/jboss-client.jar",
          "PkgIdentifier": {
            "PURL": "pkg:maven/org.wildfly.security/wildfly-elytron-realm-token@1.20.3.Final",
            "UID": "49924fcbbcb7b5cf"
          },

Able to successfully upgrade above in server part, but ejbca cli also utilizing the packages.
I got response from wildfly community in order to fix the above CVEs need to use latest versions of wildfly.
Since ejbca7 is compatible with wildfly26, unable to uplift latest wildfly. Any suggestions to mitigate the above vulnerabilities.

[primetomas]

EJBCA 7 is not supported any longer, it is old in itself. There are CVEs on EJBCA itself since then.
Neither of these CVEs are exploitable using EJBCA. jboss-client is only used for internal communication (calling EJBs within EJBCA) or on localhost from the ejbca cli. No JBoss/WilFly authentication is used for this anyhow. EJBCA 9 will upgrade to Jakarta EE 10, which means WilFly 30+ and later will be used.

You can always use JBoss EAP if you have no means of flagging these CVEs as non-relevant. But you should handle EJBCA CVes as well.