Uploaded image for project: 'TomEE'
  1. TomEE
  2. TOMEE-2241

Need to upgrade commons-lang3-3.5.jar to commons-lang3-3.8.jar to allows Struts users to fix CVE-2018-11776 in their app

    XMLWordPrintableJSON

Details

    • Dependency upgrade
    • Status: Resolved
    • Major
    • Resolution: Duplicate
    • 7.0.5
    • 7.0.6
    • TomEE Core Server
    • Important

    Description

      We are running our web apps with TomEE+ 7.0.5 and we are trying to
      upgrade our Apache struts based app to latest version (Struts 2.5.17) because of CVE-2018-11776.

      Fixing this CVE-2018-11776 security issue involves upgrading web apps Struts dependency to Struts 2.5.17 (see https://struts.apache.org/announce.html#a20180822-0).

      However it turns out that Struts 2.5.17 depends on new classes
      introduced inĀ  commons-lang3-3.6 (class
      org.apache.commons.lang3.reflect.MethodUtils does not have a method
      getAnnotation method which is expected by struts 2.5.17), and Apache TomEE 7.0.5 comes with commons-lang3-3.5.jar

      commons-lang3-3.5.jar is very old, we should upgrade TomEE core's dependency to latest commons-lang3. Currently this is commons-lang3-3.8.jar

      Attachments

        Activity

          People

            Unassigned Unassigned
            avermeerbergen Alexandre Vermeerbergen
            Votes:
            2 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 1h
                1h
                Remaining:
                Remaining Estimate - 1h
                1h
                Logged:
                Time Spent - Not Specified
                Not Specified