Details
-
Type: Improvement
-
Status: Open
-
Priority: Major
-
Resolution: Unresolved
-
Affects Version/s: EE-4.3.0.GA_P05, EE-3.3.0.GA_P11
-
Fix Version/s: EE-4.3.0.GA_P06, EE-3.3.0.GA_P12
-
Component/s: Documentation
-
Labels:None
-
Environment:Any
Description
This JIRA is to review all the third-party libraries that are used by ICEfaces and to update them to newer versions that are as recent as feasible. The fact that ICEfaces uses javax.* packages, instead of the newer jakarta.* packages will be an important factor in determining how recent the newer libraries can be. The newer libraries should be thoroughly tested. Therefore, this JIRA should be completed as early as possible, in order to allow more time for testing. The main purpose of this improvement is to eliminate various vulnerabilities that some third-party libraries that we use are known to have. Those vulnerabilities don't pose a risk, as long as those third-party libraries aren't used for other purposes in an ICEfaces application other than the ones they are meant to be used by the ICEfaces framework itself, as explained in ICE-11548. However, it is best to completely eliminate those security risks and prevent those vulnerabilities from appearing in security scans. A report of all the libraries updated should be added to this JIRA, along with any relevant observations and notes, including those libraries for which we determined that it wasn't feasible to update them.
Activity
Arturo Zambrano
created issue -
Arturo Zambrano
made changes -
Field | Original Value | New Value |
---|---|---|
Fix Version/s | EE-4.3.0.GA_P06 [ 14175 ] | |
Fix Version/s | EE-3.3.0.GA_P12 [ 14176 ] |
All of the third-party libraries that are used by ICEfaces were reviewed and assessed. Some of them were updated to newer versions while others were patched and others weren't modified. The main criteria for these decisions were security and stability. Security updates are an important aspect of ICEfaces patch releases, and they received special attention in this effort. And the stability that ICEfaces provides is also a quality that we want to preserve. As a result some libraries were only patched, while for some other libraries we determined that it was best not to change them. The following is a summary of the work done:
The POI library, used for data exporting in XLS and XLSX formats, was updated to the latest available library, from 4.1.2 to 5.3.0. All its dependencies were updated as well to the prescribed versions in the release notes and in the Maven POM file. While the POI 4.1.2 library didn't have any vulnerabilities reported, some of its dependencies did have a few vulnerabilities reported. With this update, there are now no known vulnerabilities in the POI library used by ICEfaces nor in its dependencies, as of this writing.
The iText library was updated from version 2.1.7 to version 5.5.13.4. The old version has one known vulnerability, while the new version doesn't have any vulnerabilities. However, the package names changed slightly from com.lowagie.* to com.itextpdf.*. Any application doing something custom with the old library (such as a custom exporter or pre-processors and post-processors) will have to update the imports of their custom code, if they decide to update to the newer library. A mechanism was implemented for the exporter components to use either the newer library or the older library, in that order of precedence, if available. So, the old iText library can continue to be used as usual, if desired.
Research to find new vulnerabilities in the jQuery and jQuery UI libraries was performed and no new vulnerabilities were found for jQuery and 3 new vulnerabilities were found for jQuery UI. Their respective fixes were applied in our code. More information can be found in this other JIRA ICE-11564.
Likewise, research to find new vulnerabilities in the CKEditor (ace:richTextEntry) was conducted, and two new vulnerabilities were found since the last update. The fixes were applied to our code. More information can be found in this other JIRA ICE-11563.
The rest of the libraries remained the same. They can be classified in 3 categories: core libraries, build-time libraries, and minor Javascript libraries.
The core libraries are mainly Mojarra JSF and Myfaces and its dependencies. They have remained the same for several years for stability reasons.
None of the build-time libraries pose any security risks for application developers using Icefaces.
As for the remaining minor Javascript libraries, which are used for specific components individually, no vulnerabilities were found in them, and they are no longer maintained by their original developers. We assessed their code for good measure and found no reasons for concern.
Even without the updates and fixes described above, the ICEfaces framework has always been very secure due to its fundamental approach of rendering the markup in the server and validating and sanitizing all user input before using it. All of the Icefaces components have been designed carefully to avoid security issues. As long as the third-party libraries included in ICEfaces are only used for their original purposes (i.e. by the ICEfaces components only) applications developers can have peace of mind that their applications are secure.