Details
-
Dependency upgrade
-
Status: Resolved
-
Major
-
Resolution: Duplicate
-
7.0.5
-
Important
Description
We are running our web apps with TomEE+ 7.0.5 and we are trying to
upgrade our Apache struts based app to latest version (Struts 2.5.17) because of CVE-2018-11776.
Fixing this CVE-2018-11776 security issue involves upgrading web apps Struts dependency to Struts 2.5.17 (see https://struts.apache.org/announce.html#a20180822-0).
However it turns out that Struts 2.5.17 depends on new classes
introduced inĀ commons-lang3-3.6 (class
org.apache.commons.lang3.reflect.MethodUtils does not have a method
getAnnotation method which is expected by struts 2.5.17), and Apache TomEE 7.0.5 comes with commons-lang3-3.5.jar
commons-lang3-3.5.jar is very old, we should upgrade TomEE core's dependency to latest commons-lang3. Currently this is commons-lang3-3.8.jar