Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: EE-4.3.0.GA_P05, EE-3.3.0.GA_P11
    • Component/s: Documentation
    • Labels:
      None
    • Environment:
      Any

      Description

      This JIRA is to review all the third-party libraries that are used by ICEfaces and to update them to newer versions that are as recent as feasible. The fact that ICEfaces uses javax.* packages, instead of the newer jakarta.* packages will be an important factor in determining how recent the newer libraries can be. The newer libraries should be thoroughly tested. Therefore, this JIRA should be completed as early as possible, in order to allow more time for testing. The main purpose of this improvement is to eliminate various vulnerabilities that some third-party libraries that we use are known to have. Those vulnerabilities don't pose a risk, as long as those third-party libraries aren't used for other purposes in an ICEfaces application other than the ones they are meant to be used by the ICEfaces framework itself, as explained in ICE-11548. However, it is best to completely eliminate those security risks and prevent those vulnerabilities from appearing in security scans. A report of all the libraries updated should be added to this JIRA, along with any relevant observations and notes, including those libraries for which we determined that it wasn't feasible to update them.

        Activity

        Hide
        Arturo Zambrano added a comment - - edited

        All of the third-party libraries that are used by ICEfaces were reviewed and assessed. Some of them were updated to newer versions while others were patched and others weren't modified. The main criteria for these decisions were security and stability. Security updates are an important aspect of ICEfaces patch releases, and they received special attention in this effort. And the stability that ICEfaces provides is also a quality that we want to preserve. As a result some libraries were only patched, while for some other libraries we determined that it was best not to change them. The following is a summary of the work done:

        The POI library, used for data exporting in XLS and XLSX formats, was updated to the latest available library, from 4.1.2 to 5.3.0. All its dependencies were updated as well to the prescribed versions in the release notes and in the Maven POM file. While the POI 4.1.2 library didn't have any vulnerabilities reported, some of its dependencies did have a few vulnerabilities reported. With this update, there are now no known vulnerabilities in the POI library used by ICEfaces nor in its dependencies, as of this writing.

        The iText library was updated from version 2.1.7 to version 5.5.13.4. The old version has one known vulnerability, while the new version doesn't have any vulnerabilities. However, the package names changed slightly from com.lowagie.* to com.itextpdf.*. Any application doing something custom with the old library (such as a custom exporter or pre-processors and post-processors) will have to update the imports of their custom code, if they decide to update to the newer library. A mechanism was implemented for the exporter components to use either the newer library or the older library, in that order of precedence, if available. So, the old iText library can continue to be used as usual, if desired.

        Research to find new vulnerabilities in the jQuery and jQuery UI libraries was performed and no new vulnerabilities were found for jQuery and 3 new vulnerabilities were found for jQuery UI. Their respective fixes were applied in our code. More information can be found in this other JIRA ICE-11564.

        Likewise, research to find new vulnerabilities in the CKEditor (ace:richTextEntry) was conducted, and two new vulnerabilities were found since the last update. The fixes were applied to our code. More information can be found in this other JIRA ICE-11563.

        The rest of the libraries remained the same. They can be classified in 3 categories: core libraries, build-time libraries, and minor Javascript libraries.

        The core libraries are mainly Mojarra JSF and Myfaces and its dependencies. They have remained the same for several years for stability reasons.

        None of the build-time libraries pose any security risks for application developers using Icefaces.

        As for the remaining minor Javascript libraries, which are used for specific components individually, no vulnerabilities were found in them, and they are no longer maintained by their original developers. We assessed their code for good measure and found no reasons for concern.

        Even without the updates and fixes described above, the ICEfaces framework has always been very secure due to its fundamental approach of rendering the markup in the server and validating and sanitizing all user input before using it. All of the Icefaces components have been designed carefully to avoid security issues. As long as the third-party libraries included in ICEfaces are only used for their original purposes (i.e. by the ICEfaces components only) applications developers can have peace of mind that their applications are secure.

        Show
        Arturo Zambrano added a comment - - edited All of the third-party libraries that are used by ICEfaces were reviewed and assessed. Some of them were updated to newer versions while others were patched and others weren't modified. The main criteria for these decisions were security and stability. Security updates are an important aspect of ICEfaces patch releases, and they received special attention in this effort. And the stability that ICEfaces provides is also a quality that we want to preserve. As a result some libraries were only patched, while for some other libraries we determined that it was best not to change them. The following is a summary of the work done: The POI library, used for data exporting in XLS and XLSX formats, was updated to the latest available library, from 4.1.2 to 5.3.0. All its dependencies were updated as well to the prescribed versions in the release notes and in the Maven POM file. While the POI 4.1.2 library didn't have any vulnerabilities reported, some of its dependencies did have a few vulnerabilities reported. With this update, there are now no known vulnerabilities in the POI library used by ICEfaces nor in its dependencies, as of this writing. The iText library was updated from version 2.1.7 to version 5.5.13.4. The old version has one known vulnerability, while the new version doesn't have any vulnerabilities. However, the package names changed slightly from com.lowagie.* to com.itextpdf.* . Any application doing something custom with the old library (such as a custom exporter or pre-processors and post-processors) will have to update the imports of their custom code, if they decide to update to the newer library. A mechanism was implemented for the exporter components to use either the newer library or the older library, in that order of precedence, if available. So, the old iText library can continue to be used as usual, if desired. Research to find new vulnerabilities in the jQuery and jQuery UI libraries was performed and no new vulnerabilities were found for jQuery and 3 new vulnerabilities were found for jQuery UI. Their respective fixes were applied in our code. More information can be found in this other JIRA ICE-11564 . Likewise, research to find new vulnerabilities in the CKEditor (ace:richTextEntry) was conducted, and two new vulnerabilities were found since the last update. The fixes were applied to our code. More information can be found in this other JIRA ICE-11563 . The rest of the libraries remained the same. They can be classified in 3 categories: core libraries, build-time libraries, and minor Javascript libraries. The core libraries are mainly Mojarra JSF and Myfaces and its dependencies. They have remained the same for several years for stability reasons. None of the build-time libraries pose any security risks for application developers using Icefaces. As for the remaining minor Javascript libraries, which are used for specific components individually, no vulnerabilities were found in them, and they are no longer maintained by their original developers. We assessed their code for good measure and found no reasons for concern. Even without the updates and fixes described above, the ICEfaces framework has always been very secure due to its fundamental approach of rendering the markup in the server and validating and sanitizing all user input before using it. All of the Icefaces components have been designed carefully to avoid security issues. As long as the third-party libraries included in ICEfaces are only used for their original purposes (i.e. by the ICEfaces components only) applications developers can have peace of mind that their applications are secure.
        Hide
        Arturo Zambrano added a comment - - edited

        More details about the iText library update.

        The iText library that we used (2.1.7) was the last of its product line for quite some time. A newer product line called iText Core is being published now, which is incompatible with the legacy product line of iText that we use. The version 4.2.0 of this legacy product line was incorrectly added to the Maven repository by another company that forked the code. Eventually, the company that originally created iText published versions 5.x of this legacy product line again, which to this day continues to receive security updates. The only difference is that the package names changed from com.lowagie.* to com.itextpdf.*. Other than that, no other changes are needed, and the updated library continues to work normally with existing code that uses it. We tested thoroughly our exporter components for PDF exporting and found no issues.

        The vulnerability that was eliminated is CVE-2017-9096.

        Since we don't include the iText library in ICEfaces due to licensing reasons, we use Java Reflection to make use of this library, if it's present in the class path. We added a mechanism to look for the newer library, and if it's not found, the code looks for the old library (and if it's not found either, the export operation is simple cancelled gracefully). So, it's possible to use either the newer or the older iText library on an ICEfaces application. However, if the application has some custom code that makes use of the iText library, its imports should be updated to the new package names, if the newer library is to be used.

        More related information can be found in the following URLs:

        https://stackoverflow.com/questions/62329351/pom-xml-error-missing-artifact-com-lowagieitextjar4-2-2-how-dowload-itext

        https://security.snyk.io/package/maven/com.itextpdf%3Aitextpdf

        https://central.sonatype.com/artifact/com.lowagie/itext/4.2.2?smo=true

        https://itextpdf.com/blog/technical-notes/my-maven-build-broken-what-should-i-do

        Show
        Arturo Zambrano added a comment - - edited More details about the iText library update. The iText library that we used (2.1.7) was the last of its product line for quite some time. A newer product line called iText Core is being published now, which is incompatible with the legacy product line of iText that we use. The version 4.2.0 of this legacy product line was incorrectly added to the Maven repository by another company that forked the code. Eventually, the company that originally created iText published versions 5.x of this legacy product line again, which to this day continues to receive security updates. The only difference is that the package names changed from com.lowagie.* to com.itextpdf.* . Other than that, no other changes are needed, and the updated library continues to work normally with existing code that uses it. We tested thoroughly our exporter components for PDF exporting and found no issues. The vulnerability that was eliminated is CVE-2017-9096. Since we don't include the iText library in ICEfaces due to licensing reasons, we use Java Reflection to make use of this library, if it's present in the class path. We added a mechanism to look for the newer library, and if it's not found, the code looks for the old library (and if it's not found either, the export operation is simple cancelled gracefully). So, it's possible to use either the newer or the older iText library on an ICEfaces application. However, if the application has some custom code that makes use of the iText library, its imports should be updated to the new package names, if the newer library is to be used. More related information can be found in the following URLs: https://stackoverflow.com/questions/62329351/pom-xml-error-missing-artifact-com-lowagieitextjar4-2-2-how-dowload-itext https://security.snyk.io/package/maven/com.itextpdf%3Aitextpdf https://central.sonatype.com/artifact/com.lowagie/itext/4.2.2?smo=true https://itextpdf.com/blog/technical-notes/my-maven-build-broken-what-should-i-do
        Hide
        Arturo Zambrano added a comment - - edited

        As for the POI library, the following jars were removed:

        • commons-codec-1.5.jar
        • commons-compress-1.20.jar
        • poi-4.1.2.jar
        • poi-ooxml-4.1.2.jar
        • poi-ooxml-schemas-4.1.2.jar
        • commons-collections4-4.4.jar
        • commons-math3-3.6.1.jar
        • xmlbeans-3.1.0.jar

        And these jars were added:

        • commons-codec-1.17.0.jar
        • commons-compress-1.26.2.jar
        • poi-5.3.0.jar
        • poi-ooxml-full-5.3.0.jar
        • poi-ooxml-5.3.0.jar
        • commons-collections4-4.4.jar
        • commons-math3-3.6.1.jar
        • xmlbeans-5.2.1.jar
        • commons-io-2.16.1.jar
        • log4j-api-2.23.1.jar
        • log4j-core-2.23.1.jar

        The vulnerabilities that were eliminated are listed below by jar:

        More related information can be found in the following URLs:

        https://security.snyk.io/package/maven/commons-codec%3Acommons-codec/1.5

        https://security.snyk.io/package/maven/org.apache.commons%3Acommons-compress/1.20

        https://security.snyk.io/package/maven/org.apache.poi%3Apoi/3.7

        https://poi.apache.org/changes.html

        https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#JAR_Scanning

        https://tomcat.apache.org/tomcat-7.0-doc/config/jar-scanner.html

        https://poi.apache.org/download.html#POI-5.3.0

        Show
        Arturo Zambrano added a comment - - edited As for the POI library, the following jars were removed: commons-codec-1.5.jar commons-compress-1.20.jar poi-4.1.2.jar poi-ooxml-4.1.2.jar poi-ooxml-schemas-4.1.2.jar commons-collections4-4.4.jar commons-math3-3.6.1.jar xmlbeans-3.1.0.jar And these jars were added: commons-codec-1.17.0.jar commons-compress-1.26.2.jar poi-5.3.0.jar poi-ooxml-full-5.3.0.jar poi-ooxml-5.3.0.jar commons-collections4-4.4.jar commons-math3-3.6.1.jar xmlbeans-5.2.1.jar commons-io-2.16.1.jar log4j-api-2.23.1.jar log4j-core-2.23.1.jar The vulnerabilities that were eliminated are listed below by jar: commons-codec-1.5.jar https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCODEC-561518 commons-compress-1.20.jar CVE-2024-25710 CVE-2017-5644 CVE-2021-35517 CVE-2021-35515 CVE-2021-36090 More related information can be found in the following URLs: https://security.snyk.io/package/maven/commons-codec%3Acommons-codec/1.5 https://security.snyk.io/package/maven/org.apache.commons%3Acommons-compress/1.20 https://security.snyk.io/package/maven/org.apache.poi%3Apoi/3.7 https://poi.apache.org/changes.html https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#JAR_Scanning https://tomcat.apache.org/tomcat-7.0-doc/config/jar-scanner.html https://poi.apache.org/download.html#POI-5.3.0
        Hide
        Arturo Zambrano added a comment -

        Note that older Application Servers may throw exceptions when loading the new Apache POI libraries and their dependencies. These exceptions can be safely ignored and don't affect the normal functioning of the server. This occurs because the Application Servers scan the jars in the classpath looking for Servlet 3.0 pluggability features. These newer jars have annotations that were introduced in JDK 9, so they won't be recognized by older Application Servers that were released before Java 9. It is possible to prevent Application Servers to scan certain jars and avoid these exceptions being logged. In the case of Tomcat 7 and Tomcat 8, one can edit the configuration file $CATALINA_BASE/conf/catalina.properties and the property tomcat.util.scan.DefaultJarScanner.jarsToSkip and list all the new jars filenames, separated by commas and without spaces. Specifically, this is the string that has to be appended to the end of the value of this property:

        commons-compress-1.26.2.jar,poi-ooxml-5.3.0.jar,poi-ooxml-full-5.3.0.jar,log4j-api-2.23.1.jar,xmlbeans-5.2.1.jar,poi-5.3.0.jar,log4j-core-2.23.1.jar
        

        More information can be found in the following URL:

        https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#JAR_Scanning

        Show
        Arturo Zambrano added a comment - Note that older Application Servers may throw exceptions when loading the new Apache POI libraries and their dependencies. These exceptions can be safely ignored and don't affect the normal functioning of the server. This occurs because the Application Servers scan the jars in the classpath looking for Servlet 3.0 pluggability features. These newer jars have annotations that were introduced in JDK 9, so they won't be recognized by older Application Servers that were released before Java 9. It is possible to prevent Application Servers to scan certain jars and avoid these exceptions being logged. In the case of Tomcat 7 and Tomcat 8, one can edit the configuration file $CATALINA_BASE/conf/catalina.properties and the property tomcat.util.scan.DefaultJarScanner.jarsToSkip and list all the new jars filenames, separated by commas and without spaces. Specifically, this is the string that has to be appended to the end of the value of this property: commons-compress-1.26.2.jar,poi-ooxml-5.3.0.jar,poi-ooxml-full-5.3.0.jar,log4j-api-2.23.1.jar,xmlbeans-5.2.1.jar,poi-5.3.0.jar,log4j-core-2.23.1.jar More information can be found in the following URL: https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#JAR_Scanning

          People

          • Assignee:
            Arturo Zambrano
            Reporter:
            Arturo Zambrano
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: