RE: Re: Re: Hibernate upgrade with Struts 6.8.0
> Basically Struts doesn't use Hibernate, it's only usage is the case > with detecting proxies to properly resolve members > SecurityMemberAccess. This question is rather to you - if your app is > ready to support a downgraded version. > > > Cheers > Łukasz We will look into it, thank you for the provided information! Cheers Angel
Re: Re: Hibernate upgrade with Struts 6.8.0
unsubscribe [email protected] On Fri, Apr 3, 2026 at 9:58 AM Angel wrote: > > If this is Hibernate 5.x it shouldn't be an issue. > > We found out that Hibernate 5.3 still gets security support as its latest > patch version 5.3.38 is rolled out this year and isn't affected by > CVE-2026-0603 so we are considering downgrading hibernate-core to this > specific version. > > Our only concern is that Struts lists hibernate-core 5.6.15 as its > dependency. Should we expect any issues by downgrading to 5.3? > > Cheers > Angel >
Re: Re: Hibernate upgrade with Struts 6.8.0
pt., 3 kwi 2026 o 15:58 Angel napisał(a): > > > If this is Hibernate 5.x it shouldn't be an issue. > > We found out that Hibernate 5.3 still gets security support as its latest > patch version 5.3.38 is rolled out this year and isn't affected by > CVE-2026-0603 so we are considering downgrading hibernate-core to this > specific version. > > Our only concern is that Struts lists hibernate-core 5.6.15 as its > dependency. Should we expect any issues by downgrading to 5.3? Basically Struts doesn't use Hibernate, it's only usage is the case with detecting proxies to properly resolve members SecurityMemberAccess. This question is rather to you - if your app is ready to support a downgraded version. Cheers Łukasz - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: Re: Hibernate upgrade with Struts 6.8.0
> If this is Hibernate 5.x it shouldn't be an issue. We found out that Hibernate 5.3 still gets security support as its latest patch version 5.3.38 is rolled out this year and isn't affected by CVE-2026-0603 so we are considering downgrading hibernate-core to this specific version. Our only concern is that Struts lists hibernate-core 5.6.15 as its dependency. Should we expect any issues by downgrading to 5.3? Cheers Angel
Re: Hibernate upgrade with Struts 6.8.0
wt., 31 mar 2026 o 15:09 Angel napisał(a): > Regarding the CVE-2026-0603 vulnerability affecting hibernate-core 5.x > versions. We are running Apache struts 6.8.0 with hibernate-core 5.6.15. > > We know its an optional dependency for struts-core, but without it during > the app execution in > com.opensymphony.xwork2.util.ProxyUtil#isHibernateProxy are thrown and > internally handled a lot of NoClassDefFoundError-s (hundreds of thousands). > This decrease the performance of our app. This looks like a bug, if Hibernate isn't present, this function should be ignored. Feel free to report a but in JIRA > Is it safe to upgrade hibernate-core to a non-vulnerable version while > staying on Struts 6.8.0? If this is Hibernate 5.x it shouldn't be an issue. Cheers Łukasz - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
