ICEfaces
  1. ICEfaces
  2. ICE-11548

Eliminate or mitigate vulnerabilities in external libraries used by Icefaces

    Details

    • Type: Task Task
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: EE-4.3.0.GA_P04, EE-3.3.0.GA_P10
    • Component/s: Release
    • Labels:
      None
    • Environment:
      Any

      Description

      One of our customers ran a Sonatype security scan on various versions of Icefaces binary bundles. The scan reported various vulnerabilities. However, after analyzing the report, it was observed that none of those vulnerabilities are in Icefaces code but in external libraries that are included in the bundles. Further analysis revealed that many of those libraries don't pose a risk as long as they aren't used for other purposes other than their original purpose within Icefaces. In some other cases newer versions of those libraries could completely eliminate the risks described in the report. This JIRA is to investigate how we can mitigate or eliminate those vulnerabilities in external libraries bundled with Icefaces from future releases.

        Activity

        Hide
        Arturo Zambrano added a comment -

        Attached security scan report for Icefaces 4.3 and corresponding analysis.

        Show
        Arturo Zambrano added a comment - Attached security scan report for Icefaces 4.3 and corresponding analysis.
        Hide
        Arturo Zambrano added a comment -

        We reviewed the original analysis and confirmed the conclusions we reached back in January 2023. Regarding the POI and iText libraries and their dependencies, these third party libraries included in ICEfaces do not pose a risk as long as they aren't used for other purposes than the ones ICEfaces uses them for. In other words, as long as the classes of these third party libraries aren't accessed directly by the application code, the risk is non-existent. Moreover, the Sonatype report mentions vulnerabilities in versions of these these party libraries that are actually older than the ones that ICEfaces actually uses. The POI library version reported is 3.17, but ICEfaces 3.3 ships with POI 3.7, and ICEfaces 4.3 ships with POI 4.1.2.

        Likewise, the Eclipse Mojarra version reported is 2.3.7, but the Eclipse Mojarra version ICEfaces 4.3 ships with is 2.3.14. No Oracle Mojarra versions appear in the report.

        The JSTL library is only included in a couple of sample/demo apps, which aren't meant for production.

        The rhino library is only used to compress javascript at compile time, and it's never exposed in deployed applications.

        Only the MyFaces library included contains the reported vulnerability CVE-2021-26296. Since the vast majority of our customers use Mojarra JSF, this is something that doesn't affect them at all. MyFaces users are advised to switch to Mojarra JSF or to set the following configuration settings to secureRandom, as recommended in this article.

        org.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN
        org.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN
        org.apache.myfaces.RANDOM_KEY_IN_WEBSOCKET_SESSION_TOKEN
        
        Show
        Arturo Zambrano added a comment - We reviewed the original analysis and confirmed the conclusions we reached back in January 2023. Regarding the POI and iText libraries and their dependencies, these third party libraries included in ICEfaces do not pose a risk as long as they aren't used for other purposes than the ones ICEfaces uses them for. In other words, as long as the classes of these third party libraries aren't accessed directly by the application code, the risk is non-existent. Moreover, the Sonatype report mentions vulnerabilities in versions of these these party libraries that are actually older than the ones that ICEfaces actually uses. The POI library version reported is 3.17, but ICEfaces 3.3 ships with POI 3.7, and ICEfaces 4.3 ships with POI 4.1.2. Likewise, the Eclipse Mojarra version reported is 2.3.7, but the Eclipse Mojarra version ICEfaces 4.3 ships with is 2.3.14. No Oracle Mojarra versions appear in the report. The JSTL library is only included in a couple of sample/demo apps, which aren't meant for production. The rhino library is only used to compress javascript at compile time, and it's never exposed in deployed applications. Only the MyFaces library included contains the reported vulnerability CVE-2021-26296. Since the vast majority of our customers use Mojarra JSF, this is something that doesn't affect them at all. MyFaces users are advised to switch to Mojarra JSF or to set the following configuration settings to secureRandom , as recommended in this article . org.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN org.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN org.apache.myfaces.RANDOM_KEY_IN_WEBSOCKET_SESSION_TOKEN

          People

          • Assignee:
            Arturo Zambrano
            Reporter:
            Arturo Zambrano
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: