Arturo Zambrano added a comment - 17/Jan/23 12:14 PM Attached security scan report for Icefaces 4.3 and corresponding analysis.

Arturo Zambrano added a comment - 11/Dec/23 11:57 AM We reviewed the original analysis and confirmed the conclusions we reached back in January 2023. Regarding the POI and iText libraries and their dependencies, these third party libraries included in ICEfaces do not pose a risk as long as they aren't used for other purposes than the ones ICEfaces uses them for. In other words, as long as the classes of these third party libraries aren't accessed directly by the application code, the risk is non-existent. Moreover, the Sonatype report mentions vulnerabilities in versions of these these party libraries that are actually older than the ones that ICEfaces actually uses. The POI library version reported is 3.17, but ICEfaces 3.3 ships with POI 3.7, and ICEfaces 4.3 ships with POI 4.1.2. Likewise, the Eclipse Mojarra version reported is 2.3.7, but the Eclipse Mojarra version ICEfaces 4.3 ships with is 2.3.14. No Oracle Mojarra versions appear in the report. The JSTL library is only included in a couple of sample/demo apps, which aren't meant for production. The rhino library is only used to compress javascript at compile time, and it's never exposed in deployed applications. Only the MyFaces library included contains the reported vulnerability CVE-2021-26296. Since the vast majority of our customers use Mojarra JSF, this is something that doesn't affect them at all. MyFaces users are advised to switch to Mojarra JSF or to set the following configuration settings to secureRandom , as recommended in this article . org.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN org.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN org.apache.myfaces.RANDOM_KEY_IN_WEBSOCKET_SESSION_TOKEN