You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by "Richard Zowalla (Jira)" <ji...@apache.org> on 2022/09/15 08:06:00 UTC

[jira] [Commented] (TOMEE-4047) CVE-2022-29885 vulnerability on TomEE 7.0.9 version

    [ https://issues.apache.org/jira/browse/TOMEE-4047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17605182#comment-17605182 ] 

Richard Zowalla commented on TOMEE-4047:
----------------------------------------

We discussed 7.0.x or 7.1.x releases on the [dev@tomee.apache.org|mailto:dev@tomee.apache.org] list. The related mail thread is [https://lists.apache.org/thread/hjbk86vjkds1os4gcvrpxgfxfn77qrl2] 

*tl;dr*
 * Currently, there is no intention to spend our limited resources on maintaining 7.0.x or 7.1.x - the majority of people are working on maintaining 8.x and/or a release of 9.x + preparation of EE10.
 * Reasons are, that these versions of TomEE rely on other libraries in versions, which aren't maintained any more or are also affected by CVEs. A prominent example is CXF, you can view a [naive Grype output on the list archive|https://lists.apache.org/api/email.lua?attachment=true&id=9qxpkrf4m53crm5cpxj4olo5nnjtm0zx&file=bd7092d9c6760a0abb8aa339233a6003488199eda633d12282640fd1926ecab0].

That said, we are perfectly fine, if someone steps up and addresses the issues / CVEs found in 7.0.x or 7.1.x - however, it needs to be a "complete" job as we won't do a release containing known vulnerabilities. The reasoning can be found on the linked mail thread in which you are free to raise your opinion / voice. 

> CVE-2022-29885 vulnerability on TomEE 7.0.9 version
> ---------------------------------------------------
>
>                 Key: TOMEE-4047
>                 URL: https://issues.apache.org/jira/browse/TOMEE-4047
>             Project: TomEE
>          Issue Type: Bug
>    Affects Versions: 7.0.9
>            Reporter: Guzman Castanedo
>            Priority: Major
>             Fix For: 7.0.10
>
>
> Hello,
> We are using TomEE 7.0.9 and we have found that this version is affected by CVE-2022-29885, because it uses internally tomcat 8.5.57.
> The tomcat versions affected by this vulnerability are between 8.5.38 and 8.5.78.
> It is planned to fix this issue on next TomEE 7.0 versions?
>  
> We have found the same problem in TomEE 7.1 version.
>  
> References:
>  * [https://nvd.nist.gov/vuln/detail/CVE-2022-29885]
>  
> Thank you very much.
> Best regards.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)