[jira] [Commented] (TOMEE-2876) Fix cxf CVE issues
[ https://issues.apache.org/jira/browse/TOMEE-2876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17208804#comment-17208804 ] Jonathan Gallimore commented on TOMEE-2876: --- > So if CXF is just the implementation, why can't you update to a higher minor >CXF version that has the issues fixed? In later versions of TomEE, we do. TomEE 7 targets Java EE 7, which has JAX-RS 2.0. TomEE 8 targets EE8, which is JAX-RS 2.1. The JAX-RS 2.0 version of CXF is 3.1.x - we're on the latest version of CXF 3.1.x already. Again, I'm happy to try and find a way forward with this when I can for TomEE 7.x. It isn't as trivial as doing a simple dependency update. If moving to TomEE 8 is problematic for people, we definitely interested in the pain points, and what we can potentially do to move the needle. > Fix cxf CVE issues > -- > > Key: TOMEE-2876 > URL: https://issues.apache.org/jira/browse/TOMEE-2876 > Project: TomEE > Issue Type: Dependency upgrade > Components: TomEE Build >Affects Versions: 7.1.3 >Reporter: Leandro Vale >Assignee: Jonathan Gallimore >Priority: Major > > The following CVE vulnerabilities have been identified in cxf 3.1.18: > * CVE-2019-12423 > * CVE-2020-1954 > * CVE-2019-12406 > Please consider upgrading to at least v3.3.6 (latest v3.3.7). -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2876) Fix cxf CVE issues
[ https://issues.apache.org/jira/browse/TOMEE-2876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17208770#comment-17208770 ] Robert Schaft commented on TOMEE-2876: -- > JAX-RS is the API, CXF is the implementation. Theoretically, we could change >to something different, but TomEE consciously chooses to use Apache >implementations where possible. Creating a new implementation of JAX-RS from >scratch is likely a very substantial task. So if CXF is just the implementation, why can't you update to a higher minor CXF version that has the issues fixed? > Fix cxf CVE issues > -- > > Key: TOMEE-2876 > URL: https://issues.apache.org/jira/browse/TOMEE-2876 > Project: TomEE > Issue Type: Dependency upgrade > Components: TomEE Build >Affects Versions: 7.1.3 >Reporter: Leandro Vale >Assignee: Jonathan Gallimore >Priority: Major > > The following CVE vulnerabilities have been identified in cxf 3.1.18: > * CVE-2019-12423 > * CVE-2020-1954 > * CVE-2019-12406 > Please consider upgrading to at least v3.3.6 (latest v3.3.7). -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2876) Fix cxf CVE issues
[ https://issues.apache.org/jira/browse/TOMEE-2876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17183350#comment-17183350 ] Jonathan Gallimore commented on TOMEE-2876: --- Let's leave this open, because there are some potential options to patch this that are worth exploring. With respect to your feedback: > We are between two chairs here. CXF and TomEE. We decided to go with TomEE 7 >one year ago, when TomEE 8 wasn't stable enough. CXF doesn't want to backport, >TomEE doesn't want to implement a new API. JAX-RS is the API, CXF is the implementation. Theoretically, we could change to something different, but TomEE consciously chooses to use Apache implementations where possible. Creating a new implementation of JAX-RS from scratch is likely a very substantial task. > We have the same issue in our project. In the current stabilizing phase we > want to avoid implementing new APIs. Updating to TomEE v8 is therefore not an > option. You'd be moving to a newer version of the JAX-RS API. The APIs tend to be backwards compatible (Jakarta EE 9 with the namespace change is an exception). I wouldn't expect you to run into issues moving from TomEE 7 -> 8. If you tried it, and did run into issues, we'd be interested to know what those issues are. > Fix cxf CVE issues > -- > > Key: TOMEE-2876 > URL: https://issues.apache.org/jira/browse/TOMEE-2876 > Project: TomEE > Issue Type: Dependency upgrade > Components: TomEE Build >Affects Versions: 7.1.3 >Reporter: Leandro Vale >Assignee: Jonathan Gallimore >Priority: Major > > The following CVE vulnerabilities have been identified in cxf 3.1.18: > * CVE-2019-12423 > * CVE-2020-1954 > * CVE-2019-12406 > Please consider upgrading to at least v3.3.6 (latest v3.3.7). -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2876) Fix cxf CVE issues
[ https://issues.apache.org/jira/browse/TOMEE-2876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17181316#comment-17181316 ] Robert Schaft commented on TOMEE-2876: -- If CVE-2019-12406 is not patched for TomEE 7 branch and there is no workaround, you could as well close the branch and say, that TomEE 7 is End of Life, because there are known vulnerabilites, that can't be fixed. This feature doesn't look like it would be hard to port back. We are between two chairs here. CXF and TomEE. We decided to go with TomEE 7 one year ago, when TomEE 8 wasn't stable enough. CXF doesn't want to backport, TomEE doesn't want to implement a new API. We have the same issue in our project. In the current stabilizing phase we want to avoid implementing new APIs. Updating to TomEE v8 is therefore not an option. > Fix cxf CVE issues > -- > > Key: TOMEE-2876 > URL: https://issues.apache.org/jira/browse/TOMEE-2876 > Project: TomEE > Issue Type: Dependency upgrade > Components: TomEE Build >Affects Versions: 7.1.3 >Reporter: Leandro Vale >Assignee: Jonathan Gallimore >Priority: Major > > The following CVE vulnerabilities have been identified in cxf 3.1.18: > * CVE-2019-12423 > * CVE-2020-1954 > * CVE-2019-12406 > Please consider upgrading to at least v3.3.6 (latest v3.3.7). -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2876) Fix cxf CVE issues
[ https://issues.apache.org/jira/browse/TOMEE-2876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17158060#comment-17158060 ] Jonathan Gallimore commented on TOMEE-2876: --- This has been discussed on the mailing list, and in short, isn't straightforward, as the newer versions of CXF target newer versions of JAX-RS than the TomEE 7.x.y branches are using (TomEE 7 targets EE7). That restricts us to CXF 3.1.x on these branches. The CXF team have confirmed that they will not create newer releases on the 3.1.x branch. You could consider moving to TomEE 8. Over the next couple of days, I will look at the possibility of patching these using the tomee-patch-plugin we recently introduces with the Jakarta EE 9 work - does that sound reasonable? These two CVEs are unlikely to impact TomEE: [https://nvd.nist.gov/vuln/detail/CVE-2019-12423] This relates to the JWK functionality in CXF, which TomEE does not use. Unless you're doing something specific in your application to use this functionality, you shouldn't be affected by this. [https://nvd.nist.gov/vuln/detail/CVE-2020-1954] Its possible to register an InstrumentationManager extension with the CXF bus, which opens a JMX/RMI port that is vulnerable to a man-in-the-middle attack. You'll notice from the CXF announcement that I helped to research and patch this issue in CXF. If you're using CXF directly, with a config like this: [https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/wsdl_first/src/main/resources/server-applicationContext.xml#L32-L37] you may be vulnerable. TomEE does not use this functionality, but your application might. > Fix cxf CVE issues > -- > > Key: TOMEE-2876 > URL: https://issues.apache.org/jira/browse/TOMEE-2876 > Project: TomEE > Issue Type: Dependency upgrade > Components: TomEE Build >Affects Versions: 7.1.3 >Reporter: Leandro Vale >Assignee: Jonathan Gallimore >Priority: Major > > The following CVE vulnerabilities have been identified in cxf 3.1.18: > * CVE-2019-12423 > * CVE-2020-1954 > * CVE-2019-12406 > Please consider upgrading to at least v3.3.6 (latest v3.3.7). -- This message was sent by Atlassian Jira (v8.3.4#803005)
