[
https://issues.apache.org/jira/browse/VELTOOLS-172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15947412#comment-15947412
]
Mark Symons commented on VELTOOLS-172:
--------------------------------------
FYI: CVE-2014-0114 is a threat linked to Apache Commons BeanUtils. See
VELTOOLS-170. Note also that it is not merely sufficient to use the latest
version (1.9.3) but it must be used correctly.
> Upgrade to supported, secure version of Apache Commons Validator
> ----------------------------------------------------------------
>
> Key: VELTOOLS-172
> URL: https://issues.apache.org/jira/browse/VELTOOLS-172
> Project: Velocity Tools
> Issue Type: Bug
> Components: VelocityStruts
> Affects Versions: 2.0, 2.0.x, 2.1, 2.x
> Reporter: Aaron Katz
> Labels: security
>
> *Please upgrade Apache Commons Validator to a supported, secure version*. At
> this time, that appears to mean [upgrading to
> 1.6|https://commons.apache.org/proper/commons-validator/changes-report.html]
> h2. vulnerabilities
> There is at least one publicly known high severity vulnerability
> ([CVE-2014-0114|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114]),
> allowing remote code execution, affecting all versions from 1.3.1 through
> 1.4.1.
> A cursory review shows that there do not appear to be publicly known
> vulnerabilities in 1.5 and above.
> h2. support
> Apache Commons Validator 1.3.x [has not had a release since
> 2006|https://commons.apache.org/proper/commons-validator/changes-report.html],
> but [VelocityTools depends upon Validator
> 1.3|http://velocity.apache.org/tools/2.0/dependencies.html]. I was unable to
> determine which branches Validator considers to be supported, so am
> suggesting upgrade to 1.6. Given the release history of one major release
> followed by one minor release, then moving immediately to the next major
> release, this seems like a reasonable starting target.
> When vulnerabilities are discovered in unsupported software, the industry
> standard response is "you need to patch to a supported version." If you get
> too far behind in patch levels, then it may be very difficult to upgrade due
> to broken backwards compatibility.
> Furthermore, when vulnerabilities are discovered in supported software, there
> is no industry standard for determining if it affects unsupported versions.
> It's entirely possible that there are known vulnerabilities that affect the
> apparantly-unsupported Apache Commons Validator 1.3 required by Velocity, and
> nobody will know until they're breached. On the other hand, when there's a
> supported major version, it's a de-facto industry standard to announce all
> supported versions that are affected. This means that staying on a supported
> version increases the chances of seeing vulnerability announcements for vulns
> that affect Velocity. It also means that staying on an unsupported version
> is considered equivalent to staying on a known vulnerable version.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
