Hi Ashish, You don't need to wait for CXF releases to address the Guava concern if it is time critical - please include the Guava version your need into the project build definitions, that should solve the issue. For sure, upcoming CXF releases would be using the latest available version at the time of the release but there are no dates yet (tentatively, end of the year). Thank you.
Best Regards, Andriy Redko > Hi Team, > In our product, we are using Apache CXF Runtime WS Security > (cxf-rt-ws-security) v3.5.5. > It having transitive dependency on Guava. Mentioned in yellow below. > Apache CXF Runtime WS Security (3.5.5) > Apache WSS4J DOM WS Security (2.4.1) > Apache WSS4J WS Security Common (2.4.1) > guava(30.1-jre) > For Guava, we have observed two vulnerabilities > (CVE-2023-2976<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976>, > CVE-2020-8908<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908>) > Fix of these vulnerabilities are not available on Apache CXF 3.x. > As product is on JAVA 8, hence fix will be required on Apache CXF 3.x only. > Kindly let us know by when fix will be provided on 3.x version. > Thanks > Ashish Verma