You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Alexandre Vermeerbergen (JIRA)" <ji...@apache.org> on 2018/09/21 12:14:00 UTC
[jira] [Created] (TOMEE-2241) Need to upgrade commons-lang3-3.5.jar
to commons-lang3-3.8.jar to allows Struts users to fix CVE-2018-11776 in
their app
Alexandre Vermeerbergen created TOMEE-2241:
----------------------------------------------
Summary: Need to upgrade commons-lang3-3.5.jar to commons-lang3-3.8.jar to allows Struts users to fix CVE-2018-11776 in their app
Key: TOMEE-2241
URL: https://issues.apache.org/jira/browse/TOMEE-2241
Project: TomEE
Issue Type: Dependency upgrade
Components: TomEE Core Server
Affects Versions: 7.0.5
Reporter: Alexandre Vermeerbergen
Fix For: 7.0.6
We are running our web apps with TomEE+ 7.0.5 and we are trying to
upgrade our Apache struts based app to latest version (Struts 2.5.17) because of CVE-2018-11776.
Fixing this CVE-2018-11776 security issue involves upgrading web apps Struts dependency to Struts 2.5.17 (see [https://struts.apache.org/announce.html#a20180822-0)].
However it turns out that Struts 2.5.17 depends on new classes
introduced inĀ commons-lang3-3.6 (class
org.apache.commons.lang3.reflect.MethodUtils does not have a method
getAnnotation method which is expected by struts 2.5.17), and Apache TomEE 7.0.5 comes with commons-lang3-3.5.jar
commons-lang3-3.5.jar is very old, we should upgrade TomEE core's dependency to latest commons-lang3. Currently this is commons-lang3-3.8.jar
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)