Details

    • Type: Task Task
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: EE-4.3.0.GA_P01
    • Fix Version/s: EE-4.3.0.GA_P02
    • Component/s: Framework, Sample Apps
    • Labels:
      None
    • Environment:
      external jars, security

      Description

      A security scan has shown issues with up to the the myfaces 2.2.12 version. see
      https://issues.apache.org/jira/browse/MYFACES-4133
      this has been resolved in myfaces - 2.3.0, so that version of the jar should be tested/included in next release.

      other jars that have security scans may be used in our samples and should also be updated if possible:-
      commons-beanutils : commons-beanutils : 1.9.2 Open or 1.9.3
      dom4j : 1.6.1 Open
      javax.servlet : jstl : 1.2 Open
      org.apache.poi : poi : 3.9 Open

       org.glassfish : javax.faces : 2.3.5 Open --scan states The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications.
      Explanation v 2.3.4 and 2.3.5 are only versions that are vulnerable, so stay away from these 2 versions of mojarra.

        Activity

        Hide
        Arturo Zambrano added a comment -

        r53179: ICE-11468 Removed old libraries with vulnerabilities, as specified by JIRA description (except JSTL); added updated libraries; added new libraries that are dependencies of updated libraries; updated build scripts and licenses documentation

        Show
        Arturo Zambrano added a comment - r53179: ICE-11468 Removed old libraries with vulnerabilities, as specified by JIRA description (except JSTL); added updated libraries; added new libraries that are dependencies of updated libraries; updated build scripts and licenses documentation
        Hide
        Arturo Zambrano added a comment - - edited

        These are the libraries that were updated and the jars that were removed:

        --------------------------------------------------------------------------------
        NAME			VERSION		FILENAME
        --------------------------------------------------------------------------------
        Mojarra			2.3.5		javax.faces-2.3.5.jar
        Myfaces			2.3.1		myfaces-bundle-2.3.1.jar
        Commons BeanUtils	1.9.3		commons-beanutils-1.9.3.jar
        dom4j			1.6.1		dom4j-1.6.1.jar
        Apache POI		3.9		poi-3.9.jar
        					poi-ooxml-3.9.jar
        					poi-ooxml-schemas-3.9.jar
        XML Beans		2.6.0		xmlbeans-2.6.0
        --------------------------------------------------------------------------------
        

        These are the updated jars:

        --------------------------------------------------------------------------------
        NAME			VERSION		FILENAME
        --------------------------------------------------------------------------------
        Mojarra			2.3.8		javax.faces-2.3.8.jar
        Myfaces			2.3.6		myfaces-bundle-2.3.6.jar
        Commons BeanUtils	1.9.4		commons-beanutils-1.9.4.jar
        dom4j			2.1.3		dom4j-2.1.3.jar
        Apache POI		4.1.2		poi-4.1.2.jar
        					poi-ooxml-4.1.2.jar
        					poi-ooxml-schemas-4.1.2.jar
        XML Beans		3.1.0		xmlbeans-3.1.0.jar
        --------------------------------------------------------------------------------
        

        These new jars were added as dependencies of the new version of POI:

        --------------------------------------------------------------------------------
        NAME				VERSION		FILENAME
        --------------------------------------------------------------------------------
        Apache Commons Math		3.6.1		commons-math3-3.6.1.jar
        Apache Commons Collections4	4.4		commons-collections4-4.4.jar
        Apache Commons Compress		1.2		commons-compress-1.20.jar
        --------------------------------------------------------------------------------
        

        Other observations:

        • JSTL (1.2) wasn't updated, because the report refers to the Apache Standard Taglib version (1.2.3 and under). In any case, this library is only used with sample apps and tutorials, and it doesn't affect the framework itself.
        • The new Mojarra 2.3 (2.3.8) version that we use now was released by the Eclipse Foundation.
        • The commons collections jar used by Myfaces and the new collections4 jar are independent of each other and do not cause conflicts. The collections4 jar contains packages with collections4 in their names.
        • The XML Beans library update wasn't part of the security update, but it was necessary to update it, because the new POI library version required it.
        • The Apache Commons Math library was added for XLS and XLSX exporting, while the Apache Commons Collections4 and Apache Commons Compress were added for XLSX exporting only.
        Show
        Arturo Zambrano added a comment - - edited These are the libraries that were updated and the jars that were removed: -------------------------------------------------------------------------------- NAME VERSION FILENAME -------------------------------------------------------------------------------- Mojarra 2.3.5 javax.faces-2.3.5.jar Myfaces 2.3.1 myfaces-bundle-2.3.1.jar Commons BeanUtils 1.9.3 commons-beanutils-1.9.3.jar dom4j 1.6.1 dom4j-1.6.1.jar Apache POI 3.9 poi-3.9.jar poi-ooxml-3.9.jar poi-ooxml-schemas-3.9.jar XML Beans 2.6.0 xmlbeans-2.6.0 -------------------------------------------------------------------------------- These are the updated jars: -------------------------------------------------------------------------------- NAME VERSION FILENAME -------------------------------------------------------------------------------- Mojarra 2.3.8 javax.faces-2.3.8.jar Myfaces 2.3.6 myfaces-bundle-2.3.6.jar Commons BeanUtils 1.9.4 commons-beanutils-1.9.4.jar dom4j 2.1.3 dom4j-2.1.3.jar Apache POI 4.1.2 poi-4.1.2.jar poi-ooxml-4.1.2.jar poi-ooxml-schemas-4.1.2.jar XML Beans 3.1.0 xmlbeans-3.1.0.jar -------------------------------------------------------------------------------- These new jars were added as dependencies of the new version of POI: -------------------------------------------------------------------------------- NAME VERSION FILENAME -------------------------------------------------------------------------------- Apache Commons Math 3.6.1 commons-math3-3.6.1.jar Apache Commons Collections4 4.4 commons-collections4-4.4.jar Apache Commons Compress 1.2 commons-compress-1.20.jar -------------------------------------------------------------------------------- Other observations: JSTL (1.2) wasn't updated, because the report refers to the Apache Standard Taglib version (1.2.3 and under). In any case, this library is only used with sample apps and tutorials, and it doesn't affect the framework itself. The new Mojarra 2.3 (2.3.8) version that we use now was released by the Eclipse Foundation. The commons collections jar used by Myfaces and the new collections4 jar are independent of each other and do not cause conflicts. The collections4 jar contains packages with collections4 in their names. The XML Beans library update wasn't part of the security update, but it was necessary to update it, because the new POI library version required it. The Apache Commons Math library was added for XLS and XLSX exporting, while the Apache Commons Collections4 and Apache Commons Compress were added for XLSX exporting only.
        Hide
        Ken Fyten added a comment -

        Re-opened.

        The relevant .pom files need to be updated to indicate the correct versions of these updated libraries.

        Show
        Ken Fyten added a comment - Re-opened. The relevant .pom files need to be updated to indicate the correct versions of these updated libraries.
        Hide
        Arturo Zambrano added a comment -

        r53185: ICE-11468 updated maven pom.xml files to build using new library versions and dependencies; removed dom4j, which is no longer necessary by new POI version; also updated to Mojarra 2.3.14, which is actually the newest version; also updated commons logging to 1.2 and commons bean utils to 1.9.4 in the Myfaces 2.2 library folder

        Show
        Arturo Zambrano added a comment - r53185: ICE-11468 updated maven pom.xml files to build using new library versions and dependencies; removed dom4j, which is no longer necessary by new POI version; also updated to Mojarra 2.3.14, which is actually the newest version; also updated commons logging to 1.2 and commons bean utils to 1.9.4 in the Myfaces 2.2 library folder
        Hide
        Arturo Zambrano added a comment -

        r57788: updated maven pom.xml files to use https in dependency repository URLs

        r57789: updated ant maven build script to use https in dependency repository URLs

        Show
        Arturo Zambrano added a comment - r57788: updated maven pom.xml files to use https in dependency repository URLs r57789: updated ant maven build script to use https in dependency repository URLs
        Hide
        Arturo Zambrano added a comment -

        r57784: updated maven pom.xml files to use https in URLs, including URLs in namespaces

        Show
        Arturo Zambrano added a comment - r57784: updated maven pom.xml files to use https in URLs, including URLs in namespaces
        Hide
        Arturo Zambrano added a comment -

        r53218, r53219: removed the krysalis jCharts library from the showcase pom file, since this library is no longer used by the components or by the showcase application (committed to the trunk and the P02 tag)

        Show
        Arturo Zambrano added a comment - r53218, r53219: removed the krysalis jCharts library from the showcase pom file, since this library is no longer used by the components or by the showcase application (committed to the trunk and the P02 tag)
        Hide
        Arturo Zambrano added a comment - - edited

        r53222, r53223: Added JAXB API jar to avoid build-time errors with JDK 11 (committed to trunk and P02 tag)

        Starting from Java 9, the JAXB API were moved out of Java SE, because they are considered part of Java EE. So, we're adding this jar, specifically for the mobi codebase, to be able to compile correctly on Java 9 and above. This doesn't affect anything when compiling with Java 8.

        https://stackoverflow.com/questions/43574426/how-to-resolve-java-lang-noclassdeffounderror-javax-xml-bind-jaxbexception-in-j

        Show
        Arturo Zambrano added a comment - - edited r53222, r53223: Added JAXB API jar to avoid build-time errors with JDK 11 (committed to trunk and P02 tag) Starting from Java 9, the JAXB API were moved out of Java SE, because they are considered part of Java EE. So, we're adding this jar, specifically for the mobi codebase, to be able to compile correctly on Java 9 and above. This doesn't affect anything when compiling with Java 8. https://stackoverflow.com/questions/43574426/how-to-resolve-java-lang-noclassdeffounderror-javax-xml-bind-jaxbexception-in-j

          People

          • Assignee:
            Arturo Zambrano
            Reporter:
            Judy Guglielmin
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: