Hi, What are the known vulnerabilities in ehcache 2.10.6? The Owasp maven dependency checker isn't detecting any issues.
There is a JIRA for the next WSS4J release to migrate to EhCache 3, once we pick this up then we can update CXF as well - https://issues.apache.org/jira/browse/WSS-632 Colm. On Fri, Nov 8, 2019 at 12:24 PM Christoph Weser <[email protected]> wrote: > Hello, > > as this is my first question please forgive me if this is the wrong list > for my question. Any hint towards the right one is appreciated. > > We're using Apache 3.1.4 (Yes, I know it's quite old.). > Deploying that the package also contains ehCache 2.10.4. > > Customer is now complaining about several vulnerabilities found in ehCache > 2.10.4. > As I looked at the newest release of Apache CXF I saw that also in that one > ehCache 2.10.6 is used which still has several known vulnerabilities and so > not even go to the newest release would solve these issues. > > As we're using WS security it seems that this reference is needed. > > So does anyone see a way getting around of that? > > Thanks a lot, > Chris >
