[jira] [Created] (VELTOOLS-172) Upgrade to supported, secure version of Apache Commons Validator

Thu, 09 Mar 2017 10:55:02 -0800 

Aaron Katz created VELTOOLS-172:
-----------------------------------

             Summary: Upgrade to supported, secure version of Apache Commons 
Validator
                 Key: VELTOOLS-172
                 URL: https://issues.apache.org/jira/browse/VELTOOLS-172
             Project: Velocity Tools
          Issue Type: Bug
          Components: VelocityStruts
    Affects Versions: 2.0, 2.0.x, 2.1, 2.x
            Reporter: Aaron Katz


*Please upgrade struts to a supported, secure version*.  At this time, that 
means upgrading to 2.3.32 or 2.5.10.1


h2. vulnerabilities
There are publicly known high severity vulnerabilities, including remote code 
execution vulns, affecting all versions of Struts 2 except the versions cited 
above.

* 
https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_vendor=cpe%3a%2f%3aapache&cpe_product=cpe%3a%2f%3a%3astruts&cvss_version=3&cve_id=
* (details not yet in NVD) https://cwiki.apache.org/confluence/display/WW/S2-045


h2. support
Apache struts 1 [reached end of life in the year 
2000|https://struts.apache.org/struts1eol-announcement.html], but 
[VelocityTools depends upon Struts 
1.3.8|http://velocity.apache.org/tools/2.0/dependencies.html].


When vulnerabilities are discovered in unsupported software, the industry 
standard response is "you need to patch to a supported version."  If you get 
too far behind in patch levels, then it may be very difficult to upgrade due to 
broken backwards compatibility.  

Furthermore, when vulnerabilities are discovered in supported software, there 
is no industry standard for determining if it affects unsupported versions.  
It's entirely possible that there are known vulnerabilities that affect the 
unsupported Struts 1.3.8 required by Velocity, and nobody will know until 
they're breached.  On the other hand, when there's a supported major version, 
it's a de-facto industry standard to announce all supported versions that are 
affected.  This means that staying on a supported version increases the chances 
of seeing vulnerability announcements for vulns that affect Velocity.  It also 
means that staying on an unsupported version is considered equivalent to 
staying on a known vulnerable version.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org

Reply via email to