ICEfaces
  1. ICEfaces
  2. ICE-11468

Update 3rd Party Libraries

          Details

          • Type: Task Task
          • Status: Closed
          • Priority: Major Major
          • Resolution: Fixed
          • Affects Version/s: EE-4.3.0.GA_P01
          • Fix Version/s: EE-4.3.0.GA_P02
          • Component/s: Framework, Sample Apps
          • Labels:
            None
          • Environment:
            external jars, security

            Description

            A security scan has shown issues with up to the the myfaces 2.2.12 version. see
            https://issues.apache.org/jira/browse/MYFACES-4133
            this has been resolved in myfaces - 2.3.0, so that version of the jar should be tested/included in next release.

            other jars that have security scans may be used in our samples and should also be updated if possible:-
            commons-beanutils : commons-beanutils : 1.9.2 Open or 1.9.3
            dom4j : 1.6.1 Open
            javax.servlet : jstl : 1.2 Open
            org.apache.poi : poi : 3.9 Open

             org.glassfish : javax.faces : 2.3.5 Open --scan states The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications.
            Explanation v 2.3.4 and 2.3.5 are only versions that are vulnerable, so stay away from these 2 versions of mojarra.

              Activity

                People

                • Assignee:
                  Arturo Zambrano
                  Reporter:
                  Judy Guglielmin
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: