[
https://issues.apache.org/jira/browse/TOMEE-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Martin Wiesner resolved TOMEE-2241.
-----------------------------------
Resolution: Duplicate
Resolved as duplicate of TOMEE-2242.
> Need to upgrade commons-lang3-3.5.jar to commons-lang3-3.8.jar to allows
> Struts users to fix CVE-2018-11776 in their app
> ------------------------------------------------------------------------------------------------------------------------
>
> Key: TOMEE-2241
> URL: https://issues.apache.org/jira/browse/TOMEE-2241
> Project: TomEE
> Issue Type: Dependency upgrade
> Components: TomEE Core Server
> Affects Versions: 7.0.5
> Reporter: Alexandre Vermeerbergen
> Priority: Major
> Labels: commons-lang,
> Fix For: 7.0.6
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> We are running our web apps with TomEE+ 7.0.5 and we are trying to
> upgrade our Apache struts based app to latest version (Struts 2.5.17)
> because of CVE-2018-11776.
> Fixing this CVE-2018-11776 security issue involves upgrading web apps Struts
> dependency to Struts 2.5.17 (see
> [https://struts.apache.org/announce.html#a20180822-0)].
>
> However it turns out that Struts 2.5.17 depends on new classes
> introduced in commons-lang3-3.6 (class
> org.apache.commons.lang3.reflect.MethodUtils does not have a method
> getAnnotation method which is expected by struts 2.5.17), and Apache TomEE
> 7.0.5 comes with commons-lang3-3.5.jar
> commons-lang3-3.5.jar is very old, we should upgrade TomEE core's dependency
> to latest commons-lang3. Currently this is commons-lang3-3.8.jar
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
