You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Richard Zowalla (Jira)" <ji...@apache.org> on 2022/09/15 08:06:00 UTC
[jira] [Commented] (TOMEE-4047) CVE-2022-29885 vulnerability on TomEE 7.0.9 version
[ https://issues.apache.org/jira/browse/TOMEE-4047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17605182#comment-17605182 ]
Richard Zowalla commented on TOMEE-4047:
----------------------------------------
We discussed 7.0.x or 7.1.x releases on the [dev@tomee.apache.org|mailto:dev@tomee.apache.org] list. The related mail thread is [https://lists.apache.org/thread/hjbk86vjkds1os4gcvrpxgfxfn77qrl2]
*tl;dr*
* Currently, there is no intention to spend our limited resources on maintaining 7.0.x or 7.1.x - the majority of people are working on maintaining 8.x and/or a release of 9.x + preparation of EE10.
* Reasons are, that these versions of TomEE rely on other libraries in versions, which aren't maintained any more or are also affected by CVEs. A prominent example is CXF, you can view a [naive Grype output on the list archive|https://lists.apache.org/api/email.lua?attachment=true&id=9qxpkrf4m53crm5cpxj4olo5nnjtm0zx&file=bd7092d9c6760a0abb8aa339233a6003488199eda633d12282640fd1926ecab0].
That said, we are perfectly fine, if someone steps up and addresses the issues / CVEs found in 7.0.x or 7.1.x - however, it needs to be a "complete" job as we won't do a release containing known vulnerabilities. The reasoning can be found on the linked mail thread in which you are free to raise your opinion / voice.
> CVE-2022-29885 vulnerability on TomEE 7.0.9 version
> ---------------------------------------------------
>
> Key: TOMEE-4047
> URL: https://issues.apache.org/jira/browse/TOMEE-4047
> Project: TomEE
> Issue Type: Bug
> Affects Versions: 7.0.9
> Reporter: Guzman Castanedo
> Priority: Major
> Fix For: 7.0.10
>
>
> Hello,
> We are using TomEE 7.0.9 and we have found that this version is affected by CVE-2022-29885, because it uses internally tomcat 8.5.57.
> The tomcat versions affected by this vulnerability are between 8.5.38 and 8.5.78.
> It is planned to fix this issue on next TomEE 7.0 versions?
>
> We have found the same problem in TomEE 7.1 version.
>
> References:
> * [https://nvd.nist.gov/vuln/detail/CVE-2022-29885]
>
> Thank you very much.
> Best regards.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)