Details
-
Type:
Task
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: EE-4.3.0.GA_P01
-
Fix Version/s: EE-4.3.0.GA_P02
-
Component/s: Framework, Sample Apps
-
Labels:None
-
Environment:external jars, security
-
Support Case References:Support Case 14503:- https://icesoft.my.salesforce.com/5000g000027qZtm
-
Workaround Description:Mojarra does not seem to serialize the view state token for server side state saving
Description
A security scan has shown issues with up to the the myfaces 2.2.12 version. see
https://issues.apache.org/jira/browse/MYFACES-4133
this has been resolved in myfaces - 2.3.0, so that version of the jar should be tested/included in next release.
other jars that have security scans may be used in our samples and should also be updated if possible:-
commons-beanutils : commons-beanutils : 1.9.2 Open or 1.9.3
dom4j : 1.6.1 Open
javax.servlet : jstl : 1.2 Open
org.apache.poi : poi : 3.9 Open
org.glassfish : javax.faces : 2.3.5 Open --scan states The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications.
Explanation v 2.3.4 and 2.3.5 are only versions that are vulnerable, so stay away from these 2 versions of mojarra.
https://issues.apache.org/jira/browse/MYFACES-4133
this has been resolved in myfaces - 2.3.0, so that version of the jar should be tested/included in next release.
other jars that have security scans may be used in our samples and should also be updated if possible:-
commons-beanutils : commons-beanutils : 1.9.2 Open or 1.9.3
dom4j : 1.6.1 Open
javax.servlet : jstl : 1.2 Open
org.apache.poi : poi : 3.9 Open
org.glassfish : javax.faces : 2.3.5 Open --scan states The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications.
Explanation v 2.3.4 and 2.3.5 are only versions that are vulnerable, so stay away from these 2 versions of mojarra.
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
r53218, r53219: removed the krysalis jCharts library from the showcase pom file, since this library is no longer used by the components or by the showcase application (committed to the trunk and the P02 tag)
Show
Arturo Zambrano
added a comment - r53218, r53219: removed the krysalis jCharts library from the showcase pom file, since this library is no longer used by the components or by the showcase application (committed to the trunk and the P02 tag)
r57784: updated maven pom.xml files to use https in URLs, including URLs in namespaces
Show
Arturo Zambrano
added a comment - r57784: updated maven pom.xml files to use https in URLs, including URLs in namespaces
r57788: updated maven pom.xml files to use https in dependency repository URLs
r57789: updated ant maven build script to use https in dependency repository URLs
Show
Arturo Zambrano
added a comment - r57788: updated maven pom.xml files to use https in dependency repository URLs
r57789: updated ant maven build script to use https in dependency repository URLs
r53185: ICE-11468 updated maven pom.xml files to build using new library versions and dependencies; removed dom4j, which is no longer necessary by new POI version; also updated to Mojarra 2.3.14, which is actually the newest version; also updated commons logging to 1.2 and commons bean utils to 1.9.4 in the Myfaces 2.2 library folder
Show
Arturo Zambrano
added a comment - r53185: ICE-11468 updated maven pom.xml files to build using new library versions and dependencies; removed dom4j, which is no longer necessary by new POI version; also updated to Mojarra 2.3.14, which is actually the newest version; also updated commons logging to 1.2 and commons bean utils to 1.9.4 in the Myfaces 2.2 library folder
Re-opened.
The relevant .pom files need to be updated to indicate the correct versions of these updated libraries.
These are the libraries that were updated and the jars that were removed:
-------------------------------------------------------------------------------- NAME VERSION FILENAME -------------------------------------------------------------------------------- Mojarra 2.3.5 javax.faces-2.3.5.jar Myfaces 2.3.1 myfaces-bundle-2.3.1.jar Commons BeanUtils 1.9.3 commons-beanutils-1.9.3.jar dom4j 1.6.1 dom4j-1.6.1.jar Apache POI 3.9 poi-3.9.jar poi-ooxml-3.9.jar poi-ooxml-schemas-3.9.jar XML Beans 2.6.0 xmlbeans-2.6.0 --------------------------------------------------------------------------------
These are the updated jars:
-------------------------------------------------------------------------------- NAME VERSION FILENAME -------------------------------------------------------------------------------- Mojarra 2.3.8 javax.faces-2.3.8.jar Myfaces 2.3.6 myfaces-bundle-2.3.6.jar Commons BeanUtils 1.9.4 commons-beanutils-1.9.4.jar dom4j 2.1.3 dom4j-2.1.3.jar Apache POI 4.1.2 poi-4.1.2.jar poi-ooxml-4.1.2.jar poi-ooxml-schemas-4.1.2.jar XML Beans 3.1.0 xmlbeans-3.1.0.jar --------------------------------------------------------------------------------
These new jars were added as dependencies of the new version of POI:
-------------------------------------------------------------------------------- NAME VERSION FILENAME -------------------------------------------------------------------------------- Apache Commons Math 3.6.1 commons-math3-3.6.1.jar Apache Commons Collections4 4.4 commons-collections4-4.4.jar Apache Commons Compress 1.2 commons-compress-1.20.jar --------------------------------------------------------------------------------
Other observations:
- JSTL (1.2) wasn't updated, because the report refers to the Apache Standard Taglib version (1.2.3 and under). In any case, this library is only used with sample apps and tutorials, and it doesn't affect the framework itself.
- The new Mojarra 2.3 (2.3.8) version that we use now was released by the Eclipse Foundation.
- The commons collections jar used by Myfaces and the new collections4 jar are independent of each other and do not cause conflicts. The collections4 jar contains packages with collections4 in their names.
- The XML Beans library update wasn't part of the security update, but it was necessary to update it, because the new POI library version required it.
- The Apache Commons Math library was added for XLS and XLSX exporting, while the Apache Commons Collections4 and Apache Commons Compress were added for XLSX exporting only.
Show
Arturo Zambrano
added a comment - - edited These are the libraries that were updated and the jars that were removed:
--------------------------------------------------------------------------------
NAME VERSION FILENAME
--------------------------------------------------------------------------------
Mojarra 2.3.5 javax.faces-2.3.5.jar
Myfaces 2.3.1 myfaces-bundle-2.3.1.jar
Commons BeanUtils 1.9.3 commons-beanutils-1.9.3.jar
dom4j 1.6.1 dom4j-1.6.1.jar
Apache POI 3.9 poi-3.9.jar
poi-ooxml-3.9.jar
poi-ooxml-schemas-3.9.jar
XML Beans 2.6.0 xmlbeans-2.6.0
--------------------------------------------------------------------------------
These are the updated jars:
--------------------------------------------------------------------------------
NAME VERSION FILENAME
--------------------------------------------------------------------------------
Mojarra 2.3.8 javax.faces-2.3.8.jar
Myfaces 2.3.6 myfaces-bundle-2.3.6.jar
Commons BeanUtils 1.9.4 commons-beanutils-1.9.4.jar
dom4j 2.1.3 dom4j-2.1.3.jar
Apache POI 4.1.2 poi-4.1.2.jar
poi-ooxml-4.1.2.jar
poi-ooxml-schemas-4.1.2.jar
XML Beans 3.1.0 xmlbeans-3.1.0.jar
--------------------------------------------------------------------------------
These new jars were added as dependencies of the new version of POI:
--------------------------------------------------------------------------------
NAME VERSION FILENAME
--------------------------------------------------------------------------------
Apache Commons Math 3.6.1 commons-math3-3.6.1.jar
Apache Commons Collections4 4.4 commons-collections4-4.4.jar
Apache Commons Compress 1.2 commons-compress-1.20.jar
--------------------------------------------------------------------------------
Other observations:
JSTL (1.2) wasn't updated, because the report refers to the Apache Standard Taglib version (1.2.3 and under). In any case, this library is only used with sample apps and tutorials, and it doesn't affect the framework itself.
The new Mojarra 2.3 (2.3.8) version that we use now was released by the Eclipse Foundation.
The commons collections jar used by Myfaces and the new collections4 jar are independent of each other and do not cause conflicts. The collections4 jar contains packages with collections4 in their names.
The XML Beans library update wasn't part of the security update, but it was necessary to update it, because the new POI library version required it.
The Apache Commons Math library was added for XLS and XLSX exporting, while the Apache Commons Collections4 and Apache Commons Compress were added for XLSX exporting only.
r53179: ICE-11468 Removed old libraries with vulnerabilities, as specified by JIRA description (except JSTL); added updated libraries; added new libraries that are dependencies of updated libraries; updated build scripts and licenses documentation
Show
Arturo Zambrano
added a comment - r53179: ICE-11468 Removed old libraries with vulnerabilities, as specified by JIRA description (except JSTL); added updated libraries; added new libraries that are dependencies of updated libraries; updated build scripts and licenses documentation
r53222, r53223: Added JAXB API jar to avoid build-time errors with JDK 11 (committed to trunk and P02 tag)
Starting from Java 9, the JAXB API were moved out of Java SE, because they are considered part of Java EE. So, we're adding this jar, specifically for the mobi codebase, to be able to compile correctly on Java 9 and above. This doesn't affect anything when compiling with Java 8.
https://stackoverflow.com/questions/43574426/how-to-resolve-java-lang-noclassdeffounderror-javax-xml-bind-jaxbexception-in-j