[
https://issues.apache.org/jira/browse/TOMEE-2876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17208770#comment-17208770
]
Robert Schaft commented on TOMEE-2876:
--------------------------------------
> JAX-RS is the API, CXF is the implementation. Theoretically, we could change
>to something different, but TomEE consciously chooses to use Apache
>implementations where possible. Creating a new implementation of JAX-RS from
>scratch is likely a very substantial task.
So if CXF is just the implementation, why can't you update to a higher minor
CXF version that has the issues fixed?
> Fix cxf CVE issues
> ------------------
>
> Key: TOMEE-2876
> URL: https://issues.apache.org/jira/browse/TOMEE-2876
> Project: TomEE
> Issue Type: Dependency upgrade
> Components: TomEE Build
> Affects Versions: 7.1.3
> Reporter: Leandro Vale
> Assignee: Jonathan Gallimore
> Priority: Major
>
> The following CVE vulnerabilities have been identified in cxf 3.1.18:
> * CVE-2019-12423
> * CVE-2020-1954
> * CVE-2019-12406
> Please consider upgrading to at least v3.3.6 (latest v3.3.7).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
