Hello Again,
Completed some basic tests with TomEE+ 8.0.13 (more complex tests to
come), but also I ran https://github.com/anchore/grype latest version
on TomEE+ 8.0.12 versus this candidate 8.0.13, with focus on Jackson
CVEs, and here's the outcome:
With TomEE+ 8.0.12, the jackson-databind-2.13.2.2.jar file was found
to have the following vulnerabilities:
CVE-2022-42003
CVE-2022-42004
GHSA-jjjh-jjxp-wpff
GHSA-rgv9-q543-rqg4
With TomEE+ 8.0.13 candidate release, jackson-databind-2.14.0-rc1.jar
file file was found to have the following vulnerabilities:
CVE-2022-42003
which is bizarre because according to
https://nvd.nist.gov/vuln/detail/CVE-2022-42003, 2.14.0-rc1 is
supposed to fix CVE-2022-42003.
I know that Grype isn't perfect, but problem is that it is widely
used, so if you are sure that this is a false positive, then can you
please provide a statement about it in release notes and/or in
documentation, to avoid users' confusion?
PS: CVE-2022-42003 is rated 7.5 (High) by
https://nvd.nist.gov/vuln/detail/CVE-2022-42003, so it's not quite
TomEE 8.0.13 could be released without a word about it...
I will send my vote when I'll have completed my more advanced tests
with 8.0.13 candidate release.
Thanks,
Alex
Le mar. 11 oct. 2022 à 22:28, Zowalla, Richard
<richard.zowa...@hs-heilbronn.de> a écrit :
>
> Good catch. This is expected:
>
> https://issues.apache.org/jira/browse/TOMEE-4021
>
> or
>
> https://lists.apache.org/thread/8tky9dr2sf99cs2hrj95j81w1rhrtdfn
>
> Gruß
> Richard
>
> Am Dienstag, dem 11.10.2022 um 22:23 +0200 schrieb Alex The Rocker:
> > okay I probably make a mistake somewhere.
> > Also I see ehcache*.jar is removed in TomEE+ 8.0.13 => is it
> > intentional (I love seeing less JARs;) ?
> >
> > Alex
> >
> > Le mar. 11 oct. 2022 à 22:17, Zowalla, Richard
> > <richard.zowa...@hs-heilbronn.de> a écrit :
> > >
> > > I am currently not on my dev system but I checked via:
> > >
> > > $ gpg --batch --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys
> > > B83D15E72253ED1104EB4FBBDAB472F0E5B8A431
> > >
> > > $ gpg --verify apache-tomee-8.0.13-plus.tar.gz.asc apache-tomee-
> > > 8.0.13-
> > > plus.tar.gz
> > >
> > > gpg: Signatur vom Di 11 Okt 2022 13:14:04 CEST
> > > gpg: mittels RSA-Schlüssel
> > > B83D15E72253ED1104EB4FBBDAB472F0E5B8A431
> > > gpg: Korrekte Signatur von "Richard Zowalla (Code Signing Key)
> > > <r...@apache.org>" [unbekannt]
> > >
> > >
> > > Gruß
> > > Richard
> > >
> > > Am Dienstag, dem 11.10.2022 um 22:04 +0200 schrieb Alex The Rocker:
> > > > Sorry previous mail sent too quickly.
> > > >
> > > > What's wrong here ?
> > > >
> > > > $ gpg --verify /tmp/tomee8013.asc apache-tomee-8.0.13-plus.tar.gz
> > > > gpg: Signature made Tue 11 Oct 2022 01:14:04 PM CEST using RSA
> > > > key ID
> > > > E5B8A431
> > > > gpg: Can't check signature: No public key
> > > >
> > > > Le mar. 11 oct. 2022 à 22:03, Alex The Rocker
> > > > <alex.m3...@gmail.com>
> > > > a écrit :
> > > > >
> > > > > Hum... what's wrong here:
> > > > >
> > > > > Le mar. 11 oct. 2022 à 21:22, Alex The Rocker
> > > > > <alex.m3...@gmail.com> a écrit :
> > > > > >
> > > > > > +1 for more frequent releases (at least based on CVE with at
> > > > > > least
> > > > > > high severity)
> > > > > > and yes, I have a relatively large test base ; stay tuned!
> > > > > >
> > > > > > Le mar. 11 oct. 2022 à 21:16, Richard Zowalla
> > > > > > <r...@apache.org> a
> > > > > > écrit :
> > > > > > >
> > > > > > > Hi Alex,
> > > > > > >
> > > > > > > we can maybe get into the habit of realising more often
> > > > > > > (yes, I
> > > > > > > know:
> > > > > > > we discussed this over and over on the list...).
> > > > > > >
> > > > > > > I was just copying from the VOTE template docs, which
> > > > > > > mention
> > > > > > > to write
> > > > > > > "first attempt" and so on... - so no regrets just copy &
> > > > > > > paste.
> > > > > > >
> > > > > > > I don't expect any suprises but we never know: I did some
> > > > > > > tests
> > > > > > > on some
> > > > > > > of our projects (jaxrs, jaxws, batche, ...) but I have no
> > > > > > > possibility
> > > > > > > to do large scale tests as you can do them ;-) - so happy
> > > > > > > to
> > > > > > > get some
> > > > > > > feedback.
> > > > > > >
> > > > > > > The CXF cleanup might be a candidate for regressions as we
> > > > > > > shipped
> > > > > > > older code under the covers of newer cxf versions and
> > > > > > > didn't
> > > > > > > notice
> > > > > > > that for some time now.
> > > > > > >
> > > > > > > Gruß
> > > > > > > Richard
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Am Dienstag, dem 11.10.2022 um 21:05 +0200 schrieb Alex The
> > > > > > > Rocker:
> > > > > > > > Hi Richard,
> > > > > > > >
> > > > > > > > Thanks for this quick TomEE 8.0.3 release after not so
> > > > > > > > long
> > > > > > > > discussions!
> > > > > > > > I'll run some tests ASAP and then give my vote (non-
> > > > > > > > binding).
> > > > > > > > Why do you mention "1st attempt"? Any regrets ?
> > > > > > > >
> > > > > > > > Alex
> > > > > > > >
> > > > > > > > Le mar. 11 oct. 2022 à 20:01, Richard Zowalla
> > > > > > > > <r...@apache.org> a
> > > > > > > > écrit :
> > > > > > > > > Hi all,
> > > > > > > > >
> > > > > > > > > this is a first attempt at a vote for a release of
> > > > > > > > > Apache
> > > > > > > > > TomEE
> > > > > > > > > 8.0.13.
> > > > > > > > >
> > > > > > > > > It is a maintenance release with some bug fixes and
> > > > > > > > > dependencies
> > > > > > > > > upgrades.
> > > > > > > > >
> > > > > > > > > ###############
> > > > > > > > >
> > > > > > > > > Maven Repo:
> > > > > > > > > https://repository.apache.org/content/repositories/orgapachetomee-1207
> > > > > > > > >
> > > > > > > > > <repositories>
> > > > > > > > > <repository>
> > > > > > > > > <id>tomee-8.0.13-release-test</id>
> > > > > > > > > <name>Testing TomEE 8.0.13 release
> > > > > > > > > candidate</name>
> > > > > > > > > <url>
> > > > > > > > > https://repository.apache.org/content/repositories/orgapachetomee-1207
> > > > > > > > > </url>
> > > > > > > > > </repository>
> > > > > > > > > </repositories>
> > > > > > > > >
> > > > > > > > > ###############
> > > > > > > > >
> > > > > > > > > Binaries & Source:
> > > > > > > > >
> > > > > > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1207/tomee-8.0.13/
> > > > > > > > >
> > > > > > > > > ###############
> > > > > > > > >
> > > > > > > > > Tag:
> > > > > > > > >
> > > > > > > > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.13
> > > > > > > > >
> > > > > > > > > ###############
> > > > > > > > >
> > > > > > > > > Latest CI/CD build:
> > > > > > > > >
> > > > > > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full/226/
> > > > > > > > >
> > > > > > > > > ###############
> > > > > > > > >
> > > > > > > > > Release notes:
> > > > > > > > >
> > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12351820
> > > > > > > > >
> > > > > > > > > ###############
> > > > > > > > >
> > > > > > > > > Here is an adoc generated version of the changelog as
> > > > > > > > > well:
> > > > > > > > >
> > > > > > > > > == Dependency upgrade
> > > > > > > > >
> > > > > > > > > [.compact]
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985]
> > > > > > > > > BatchEE 1.0.2
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4057[TOMEE-4057]
> > > > > > > > > CXF 3.4.8
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3800[TOMEE-3800]
> > > > > > > > > DBCP 2.9.0
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4059[TOMEE-4059]
> > > > > > > > > EclipseLink 2.7.11
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4063[TOMEE-4063]
> > > > > > > > > Geronimo Transaction Manager 3.1.5
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4019[TOMEE-4019]
> > > > > > > > > HSQLDB 2.7.0
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3986[TOMEE-3986]
> > > > > > > > > Hibernate Integration 5.6.9.Final
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4042[TOMEE-4042]
> > > > > > > > > Jackson 2.13.4
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4067[TOMEE-4067]
> > > > > > > > > Jackson 2.14.0-rc1
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4020[TOMEE-4020]
> > > > > > > > > Jakarta Faces 2.3.18
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4026[TOMEE-4026]
> > > > > > > > > Johnzon 1.2.19
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4030[TOMEE-4030]
> > > > > > > > > Log4J2 2.18.0
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3998[TOMEE-3998]
> > > > > > > > > MyFaces 2.3.10
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4044[TOMEE-4044]
> > > > > > > > > Snakeyaml 1.32
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4054[TOMEE-4054]
> > > > > > > > > Snakeyaml 1.33
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4002[TOMEE-4002]
> > > > > > > > > Tomcat 9.0.64
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4051[TOMEE-4051]
> > > > > > > > > Tomcat 9.0.65
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4060[TOMEE-4060]
> > > > > > > > > Tomcat 9.0.67
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4087[TOMEE-4087]
> > > > > > > > > Tomcat 9.0.68
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018]
> > > > > > > > > bcprov-jdk15on 1.70
> > > > > > > > >
> > > > > > > > > == New Feature
> > > > > > > > >
> > > > > > > > > [.compact]
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3928[TOMEE-3928]
> > > > > > > > > Example for properties provider
> > > > > > > > >
> > > > > > > > > == Bug
> > > > > > > > >
> > > > > > > > > [.compact]
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4021[TOMEE-4021]
> > > > > > > > > Unexpected ehcache 3.8.1 in tomee/lib
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3850[TOMEE-3850]
> > > > > > > > > HTTP(S) connections are not reused
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014]
> > > > > > > > > Unable to see TomEE version in Tomcat home page with
> > > > > > > > > Java
> > > > > > > > > 17
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3979[TOMEE-3979]
> > > > > > > > > service.bat issue when using JRE_HOME on Windows
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041]
> > > > > > > > > 4
> > > > > > > > > CVE Vulnerabilities in snakeyaml-1.30.jar
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001]
> > > > > > > > > CVE-2022-34305 displaying user provided data without
> > > > > > > > > filtering,
> > > > > > > > > exposing a XSS vulnerability
> > > > > > > > >
> > > > > > > > > == Improvement
> > > > > > > > >
> > > > > > > > > [.compact]
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3878[TOMEE-3878]
> > > > > > > > > Backport 'No interface view EJB proxies broken on
> > > > > > > > > JDK16+'
> > > > > > > > > [TOMEE-
> > > > > > > > > 3877] to TomEE 8.x
> > > > > > > > >
> > > > > > > > > == Task
> > > > > > > > >
> > > > > > > > > [.compact]
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4064[TOMEE-4064]
> > > > > > > > > OpenJPA 3.2.2 (examples), EclipseLink 2.7.11
> > > > > > > > > (examples),
> > > > > > > > > Derby
> > > > > > > > > 10.14.2.0
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4022[TOMEE-4022]
> > > > > > > > > Move to Apache Rat
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4056[TOMEE-4056]
> > > > > > > > > Log4J2 2.19.0
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4058[TOMEE-4058]
> > > > > > > > > Update Krazo, DeltaSpike and Hibernate
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3914[TOMEE-3914]
> > > > > > > > > Spring 3 Dependencies in TomEE Root POM
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088]
> > > > > > > > > Add workaround for CVE-2022-41853 (hsqldb)
> > > > > > > > >
> > > > > > > > > == Documentation
> > > > > > > > >
> > > > > > > > > [.compact]
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4023[TOMEE-4023]
> > > > > > > > > Comparison pages with wrong specs per profiles
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3981[TOMEE-3981]
> > > > > > > > > update javadoc to reflect updates on Jakarta EE
> > > > > > > > >
> > > > > > > > > == Fixed Common Vulnerabilities and Exposures (CVEs)
> > > > > > > > >
> > > > > > > > > [.compact]
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041]
> > > > > > > > > 4
> > > > > > > > > CVE Vulnerabilities in snakeyaml-1.30.jar
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001]
> > > > > > > > > CVE-2022-34305 displaying user provided data without
> > > > > > > > > filtering,
> > > > > > > > > exposing a XSS vulnerability
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088]
> > > > > > > > > Add workaround for CVE-2022-41853 (hsqldb)
> > > > > > > > >
> > > > > > > > > ###############
> > > > > > > > >
> > > > > > > > > Here is the dependency diff from 8.0.12 to 8.0.13
> > > > > > > > > created
> > > > > > > > > with
> > > > > > > > > David's
> > > > > > > > > new feature in our release tools:
> > > > > > > > >
> > > > > > > > > artifactId from to
> > > > > > > > > ------------------------------- ---------- ------------
> > > > > > > > > ----
> > > > > > > > > ---
> > > > > > > > > jackson-annotations 2.13.2 2.14.0-rc1
> > > > > > > > > jackson-core 2.13.2 2.14.0-rc1
> > > > > > > > > jackson-databind 2.13.2.2 2.14.0-rc1
> > > > > > > > > jackson-dataformat-yaml 2.13.2 2.14.0-rc1
> > > > > > > > > commons-cli 1.4 1.5.0
> > > > > > > > > batchee-jbatch 1.0.1 1.0.2
> > > > > > > > > commons-dbcp2 2.3.0 2.9.0
> > > > > > > > > cxf-rt-bindings-soap 3.4.5 3.4.8
> > > > > > > > > cxf-rt-bindings-xml 3.4.5 3.4.8
> > > > > > > > > cxf-rt-frontend-jaxws 3.4.5 3.4.8
> > > > > > > > > cxf-rt-frontend-simple 3.4.5 3.4.8
> > > > > > > > > cxf-rt-management 3.4.5 3.4.8
> > > > > > > > > cxf-rt-rs-extension-providers 3.4.5 3.4.8
> > > > > > > > > cxf-rt-rs-extension-search 3.4.5 3.4.8
> > > > > > > > > cxf-rt-rs-json-basic 3.4.5 3.4.8
> > > > > > > > > cxf-rt-rs-mp-client 3.4.5 3.4.8
> > > > > > > > > cxf-rt-rs-security-cors 3.4.5 3.4.8
> > > > > > > > > cxf-rt-rs-security-jose 3.4.5 3.4.8
> > > > > > > > > cxf-rt-rs-security-jose-jaxrs 3.4.5 3.4.8
> > > > > > > > > cxf-rt-rs-security-oauth2 3.4.5 3.4.8
> > > > > > > > > cxf-rt-rs-service-description 3.4.5 3.4.8
> > > > > > > > > cxf-rt-rs-sse 3.4.5 3.4.8
> > > > > > > > > cxf-rt-security 3.4.5 3.4.8
> > > > > > > > > cxf-rt-security-saml 3.4.5 3.4.8
> > > > > > > > > cxf-rt-ws-addr 3.4.5 3.4.8
> > > > > > > > > cxf-rt-ws-policy 3.4.5 3.4.8
> > > > > > > > > cxf-rt-ws-security 3.4.5 3.4.8
> > > > > > > > > cxf-rt-wsdl 3.4.5 3.4.8
> > > > > > > > > geronimo-connector 3.1.4 3.1.5
> > > > > > > > > geronimo-transaction 3.1.4 3.1.5
> > > > > > > > > johnzon-core 1.2.18 1.2.19
> > > > > > > > > johnzon-jaxrs 1.2.18 1.2.19
> > > > > > > > > johnzon-jsonb 1.2.18 1.2.19
> > > > > > > > > johnzon-jsonp-strict 1.2.18 1.2.19
> > > > > > > > > johnzon-mapper 1.2.18 1.2.19
> > > > > > > > > myfaces-api 2.3.9 2.3.10
> > > > > > > > > myfaces-impl 2.3.9 2.3.10
> > > > > > > > > cxf-shade 8.0.12 8.0.13
> > > > > > > > > taglibs-shade 8.0.12 8.0.13
> > > > > > > > > tomee-bootstrap 8.0.12 8.0.13
> > > > > > > > > bcprov-jdk15on 1.69 1.70
> > > > > > > > > eclipselink 2.7.9 2.7.11
> > > > > > > > > jakarta.faces 2.3.15 2.3.18
> > > > > > > > > hsqldb 2.5.2 2.7.0
> > > > > > > > > snakeyaml 1.30 1.33
> > > > > > > > >
> > > > > > > > > ###############
> > > > > > > > >
> > > > > > > > > Please note:
> > > > > > > > >
> > > > > > > > > (1) CVE-2022-42003 (jackson-databind): Users are only
> > > > > > > > > affected, if
> > > > > > > > > 'UNWRAP_SINGLE_VALUE_ARRAYS' is set to enabled.
> > > > > > > > > Mitigation
> > > > > > > > > is
> > > > > > > > > included
> > > > > > > > > in 2.14.0-rc1 - as discussed in a separate thread, we
> > > > > > > > > are
> > > > > > > > > "ok" to
> > > > > > > > > ship
> > > > > > > > > a RC version. We aim to do a follow up release of TomEE
> > > > > > > > > 8.x
> > > > > > > > > soon.
> > > > > > > > >
> > > > > > > > > (2) CVE-2022-41853 (hsqldb): As v2.7.1 isn't available
> > > > > > > > > yet,
> > > > > > > > > TomEE
> > > > > > > > > sets
> > > > > > > > > "hsqldb.method_class_names" to an invalid value to
> > > > > > > > > mitigate
> > > > > > > > > the
> > > > > > > > > vulnerability. Users can override the property as
> > > > > > > > > needed.
> > > > > > > > >
> > > > > > > > > ###############
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Please VOTE
> > > > > > > > >
> > > > > > > > > [+1] go ship it
> > > > > > > > > [+0] meh, don't care
> > > > > > > > > [-1] stop, there is a ${showstopper}
> > > > > > > > >
> > > > > > > > > The VOTE is open for 72h or as long as needed.
> > > > > > > > >
> > > > > > > > > Gruß
> > > > > > > > > Richard
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > >
> > >
>
