Alexandre Vermeerbergen created TOMEE-2241:
----------------------------------------------
Summary: Need to upgrade commons-lang3-3.5.jar to
commons-lang3-3.8.jar to allows Struts users to fix CVE-2018-11776 in their app
Key: TOMEE-2241
URL: https://issues.apache.org/jira/browse/TOMEE-2241
Project: TomEE
Issue Type: Dependency upgrade
Components: TomEE Core Server
Affects Versions: 7.0.5
Reporter: Alexandre Vermeerbergen
Fix For: 7.0.6
We are running our web apps with TomEE+ 7.0.5 and we are trying to
upgrade our Apache struts based app to latest version (Struts 2.5.17) because
of CVE-2018-11776.
Fixing this CVE-2018-11776 security issue involves upgrading web apps Struts
dependency to Struts 2.5.17 (see
[https://struts.apache.org/announce.html#a20180822-0)].
However it turns out that Struts 2.5.17 depends on new classes
introduced inĀ commons-lang3-3.6 (class
org.apache.commons.lang3.reflect.MethodUtils does not have a method
getAnnotation method which is expected by struts 2.5.17), and Apache TomEE
7.0.5 comes with commons-lang3-3.5.jar
commons-lang3-3.5.jar is very old, we should upgrade TomEE core's dependency to
latest commons-lang3. Currently this is commons-lang3-3.8.jar
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
