You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by Ashish Verma V <as...@ericsson.com.INVALID> on 2023/10/16 09:54:59 UTC
Apache CXF Vulnerabilities
Hi Team,
In our product, we are using Apache CXF Runtime WS Security (cxf-rt-ws-security) v3.5.5.
It having transitive dependency on Guava. Mentioned in yellow below.
Apache CXF Runtime WS Security (3.5.5)
Apache WSS4J DOM WS Security (2.4.1)
Apache WSS4J WS Security Common (2.4.1)
guava(30.1-jre)
For Guava, we have observed two vulnerabilities (CVE-2023-2976<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976>, CVE-2020-8908<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908>)
Fix of these vulnerabilities are not available on Apache CXF 3.x.
As product is on JAVA 8, hence fix will be required on Apache CXF 3.x only.
Kindly let us know by when fix will be provided on 3.x version.
Thanks
Ashish Verma
Re: Apache CXF Vulnerabilities
Posted by Andriy Redko <dr...@gmail.com>.
Hi Ashish,
You don't need to wait for CXF releases to address the Guava concern if it is
time critical - please include the Guava version your need into the project build
definitions, that should solve the issue. For sure, upcoming CXF releases would be
using the latest available version at the time of the release but there are no dates
yet (tentatively, end of the year). Thank you.
Best Regards,
Andriy Redko
> Hi Team,
> In our product, we are using Apache CXF Runtime WS Security (cxf-rt-ws-security) v3.5.5.
> It having transitive dependency on Guava. Mentioned in yellow below.
> Apache CXF Runtime WS Security (3.5.5)
> Apache WSS4J DOM WS Security (2.4.1)
> Apache WSS4J WS Security Common (2.4.1)
> guava(30.1-jre)
> For Guava, we have observed two vulnerabilities (CVE-2023-2976<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976>, CVE-2020-8908<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908>)
> Fix of these vulnerabilities are not available on Apache CXF 3.x.
> As product is on JAVA 8, hence fix will be required on Apache CXF 3.x only.
> Kindly let us know by when fix will be provided on 3.x version.
> Thanks
> Ashish Verma
Re: Apache CXF Vulnerabilities
Posted by Andriy Redko <dr...@gmail.com>.
Hi Ashish,
You don't need to wait for CXF releases to address the Guava concern if it is
time critical - please include the Guava version your need into the project build
definitions, that should solve the issue. For sure, upcoming CXF releases would be
using the latest available version at the time of the release but there are no dates
yet (tentatively, end of the year). Thank you.
Best Regards,
Andriy Redko
> Hi Team,
> In our product, we are using Apache CXF Runtime WS Security (cxf-rt-ws-security) v3.5.5.
> It having transitive dependency on Guava. Mentioned in yellow below.
> Apache CXF Runtime WS Security (3.5.5)
> Apache WSS4J DOM WS Security (2.4.1)
> Apache WSS4J WS Security Common (2.4.1)
> guava(30.1-jre)
> For Guava, we have observed two vulnerabilities (CVE-2023-2976<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976>, CVE-2020-8908<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908>)
> Fix of these vulnerabilities are not available on Apache CXF 3.x.
> As product is on JAVA 8, hence fix will be required on Apache CXF 3.x only.
> Kindly let us know by when fix will be provided on 3.x version.
> Thanks
> Ashish Verma