[jira] [Commented] (TOMEE-2876) Fix cxf CVE issues

Wed, 15 Jul 2020 03:35:21 -0700 


    [ 
https://issues.apache.org/jira/browse/TOMEE-2876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17158060#comment-17158060
 ] 

Jonathan Gallimore commented on TOMEE-2876:
-------------------------------------------

This has been discussed on the mailing list, and in short, isn't 
straightforward, as the newer versions of CXF target newer versions of JAX-RS 
than the TomEE 7.x.y branches are using (TomEE 7 targets EE7). That restricts 
us to CXF 3.1.x on these branches. The CXF team have confirmed that they will 
not create newer releases on the 3.1.x branch.

You could consider moving to TomEE 8. Over the next couple of days, I will look 
at the possibility of patching these using the tomee-patch-plugin we recently 
introduces with the Jakarta EE 9 work - does that sound reasonable?

 

These two CVEs are unlikely to impact TomEE:

[https://nvd.nist.gov/vuln/detail/CVE-2019-12423]

This relates to the JWK functionality in CXF, which TomEE does not use. Unless 
you're doing something specific in your application to use this functionality, 
you shouldn't be affected by this.

 

[https://nvd.nist.gov/vuln/detail/CVE-2020-1954]

Its possible to register an InstrumentationManager extension with the CXF bus, 
which opens a JMX/RMI port that is vulnerable to a man-in-the-middle attack. 
You'll notice from the CXF announcement that I helped to research and patch 
this issue in CXF. If you're using CXF directly, with a config like this: 
[https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/wsdl_first/src/main/resources/server-applicationContext.xml#L32-L37]
 you may be vulnerable. TomEE does not use this functionality, but your 
application might.

 

 

 

> Fix cxf CVE issues
> ------------------
>
>                 Key: TOMEE-2876
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2876
>             Project: TomEE
>          Issue Type: Dependency upgrade
>          Components: TomEE Build
>    Affects Versions: 7.1.3
>            Reporter: Leandro Vale
>            Assignee: Jonathan Gallimore
>            Priority: Major
>
> The following CVE vulnerabilities have been identified in cxf 3.1.18:
>  * CVE-2019-12423
>  * CVE-2020-1954
>  * CVE-2019-12406
> Please consider upgrading to at least v3.3.6 (latest v3.3.7).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to