1. ICEfaces
  2. ICE-11468

update Myfaces library due to issue with security scan, do not use Mojarra 2.3.4 or 2.3.5


    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: EE-4.3.0.GA_P01
    • Fix Version/s: EE-4.3.0.GA_P02
    • Component/s: Framework, Sample Apps
    • Labels:
    • Environment:
      external jars, security


      A security scan has shown issues with up to the the myfaces 2.2.12 version. see
      this has been resolved in myfaces - 2.3.0, so that version of the jar should be tested/included in next release.

      other jars that have security scans may be used in our samples and should also be updated if possible:-
      commons-beanutils : commons-beanutils : 1.9.2 Open or 1.9.3
      dom4j : 1.6.1 Open
      javax.servlet : jstl : 1.2 Open
      org.apache.poi : poi : 3.9 Open

       org.glassfish : javax.faces : 2.3.5 Open --scan states The getLocalePrefix function in in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications.
      Explanation v 2.3.4 and 2.3.5 are only versions that are vulnerable, so stay away from these 2 versions of mojarra.


        There are no comments yet on this issue.


          • Assignee:
            Ken Fyten
            Judy Guglielmin
          • Votes:
            0 Vote for this issue
            1 Start watching this issue


            • Created: