wt., 31 mar 2026 o 15:09 Angel <[email protected]> napisał(a): > Regarding the CVE-2026-0603 vulnerability affecting hibernate-core 5.x > versions. We are running Apache struts 6.8.0 with hibernate-core 5.6.15. > > We know its an optional dependency for struts-core, but without it during > the app execution in > com.opensymphony.xwork2.util.ProxyUtil#isHibernateProxy are thrown and > internally handled a lot of NoClassDefFoundError-s (hundreds of thousands). > This decrease the performance of our app.
This looks like a bug, if Hibernate isn't present, this function should be ignored. Feel free to report a but in JIRA > Is it safe to upgrade hibernate-core to a non-vulnerable version while > staying on Struts 6.8.0? If this is Hibernate 5.x it shouldn't be an issue. Cheers Łukasz --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
