tomee-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexandre Vermeerbergen (JIRA)" <j...@apache.org>
Subject [jira] [Created] (TOMEE-2241) Need to upgrade commons-lang3-3.5.jar to commons-lang3-3.8.jar to allows Struts users to fix CVE-2018-11776 in their app
Date Fri, 21 Sep 2018 12:14:00 GMT
Alexandre Vermeerbergen created TOMEE-2241:
----------------------------------------------

             Summary: Need to upgrade commons-lang3-3.5.jar to commons-lang3-3.8.jar to allows
Struts users to fix CVE-2018-11776 in their app
                 Key: TOMEE-2241
                 URL: https://issues.apache.org/jira/browse/TOMEE-2241
             Project: TomEE
          Issue Type: Dependency upgrade
          Components: TomEE Core Server
    Affects Versions: 7.0.5
            Reporter: Alexandre Vermeerbergen
             Fix For: 7.0.6


We are running our web apps with TomEE+ 7.0.5 and we are trying to
 upgrade our Apache struts based app to latest version (Struts 2.5.17) because of CVE-2018-11776.

Fixing this CVE-2018-11776 security issue involves upgrading web apps Struts dependency to
Struts 2.5.17 (see [https://struts.apache.org/announce.html#a20180822-0)].
 
 However it turns out that Struts 2.5.17 depends on new classes
 introduced inĀ  commons-lang3-3.6 (class
 org.apache.commons.lang3.reflect.MethodUtils does not have a method
 getAnnotation method which is expected by struts 2.5.17), and Apache TomEE 7.0.5 comes with
commons-lang3-3.5.jar

commons-lang3-3.5.jar is very old, we should upgrade TomEE core's dependency to latest commons-lang3.
Currently this is commons-lang3-3.8.jar



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message