Sorry for the delayed reply. Just a little bit of background on the TomEE branches:
Current master / TomEE 8, targets EE 8, and requires a minimum Java SE 8. 7.0.x targets EE7, and requires a minimum Java SE 7. 7.1.x also targets EE7, and is intended to be essentially the same as 7.0.x. It includes MicroProfile, which requires Java SE 8, so this version of TomEE also requires Java SE 8. As you point out, CXF 3.1.x is not supported by the community any more. We can probably provide patches, and they may be merged, but they are unlikely to cut a release for us. Moving to a more recent version, means that we break the minimum Java SE 7 version on TomEE 7.0.x. If we just moved TomEE 7.1.x to a later version, end up with TomEE 7.0.x and 7.1.x diverging quite a bit, which brings about the question of whether the 7.1.x branch is worth keeping around. TomEE 8 uses a more up to date version of CXF, so if migrating to TomEE 8 is an option for you, that's worth considering. The CVE you specifically reference I'd need to specifically take a look at. Its not flagging up against the version of CXF in 7.1.x for me here, so I'd need to see where the JWK functionality was introduced. There's a couple of other vulnerabilities in this version of CXF, such as CVE-2020-1954 and CVE-2019-12419 which shouldn't affect TomEE as those features of CXF are not used by TomEE itself. Your application may be using them, but if it is, its likely not portable between Java EE servers and quite tightly coupled to CXF. All this being said, this thread has given me an idea - I'll experiment with it and come back with an update. Jon On Thu, Jul 2, 2020 at 7:58 AM Lazar Kirchev <[email protected]> wrote: > Hello, > > Any update on this? > > Thanks, > Lazar > > On Fri, Jun 12, 2020 at 9:26 AM Lazar Kirchev <[email protected]> > wrote: > > > Hello, > > > > Both TomEE 7.0.x and TomEE 7.1.x latest versions ship with CXF version > > 3.1.18. However, CXF 3.1.x is not supported anymore and version 3.1.18 > > (which is the last one) is from beginning of 2019 and has security > > vulnerabilities (e.g. https://nvd.nist.gov/vuln/detail/CVE-2019-12423 > and > > https://nvd.nist.gov/vuln/detail/CVE-2019-17573). > > Replacing the CXF version in TomEE 7.x with 3.2.x or 3.3.x does not work > > because these have incompatible changes in some interfaces which TomEE > > implements for integrating CXF. > > Do you have any plans to adopt new versions of CXF in TomEE 7.x? If not > > any suggestions how to work this problem around? > > > > Thanks, > > Lazar > > >
