Hi Jon, I have overlooked another reason why CXF cannot be updated in TomEE 7.x. CXF 3.2 and 3.3 implement JAX-RS 2.1, which is part of Java EE 8 and it would not be right to add this to TomEE 7.x which is supposed to implement Java EE 7.
Lazar On Thu, Jul 2, 2020 at 1:08 PM Jonathan Gallimore < jonathan.gallim...@gmail.com> wrote: > Sorry for the delayed reply. > > Just a little bit of background on the TomEE branches: > > Current master / TomEE 8, targets EE 8, and requires a minimum Java SE 8. > 7.0.x targets EE7, and requires a minimum Java SE 7. > 7.1.x also targets EE7, and is intended to be essentially the same as > 7.0.x. It includes MicroProfile, which requires Java SE 8, so this version > of TomEE also requires Java SE 8. > > As you point out, CXF 3.1.x is not supported by the community any more. We > can probably provide patches, and they may be merged, but they are unlikely > to cut a release for us. Moving to a more recent version, means that we > break the minimum Java SE 7 version on TomEE 7.0.x. If we just moved TomEE > 7.1.x to a later version, end up with TomEE 7.0.x and 7.1.x diverging quite > a bit, which brings about the question of whether the 7.1.x branch is > worth keeping around. > > TomEE 8 uses a more up to date version of CXF, so if migrating to TomEE 8 > is an option for you, that's worth considering. > > The CVE you specifically reference I'd need to specifically take a look at. > Its not flagging up against the version of CXF in 7.1.x for me here, so I'd > need to see where the JWK functionality was introduced. There's a couple of > other vulnerabilities in this version of CXF, such as CVE-2020-1954 > and CVE-2019-12419 which shouldn't affect TomEE as those features of CXF > are not used by TomEE itself. Your application may be using them, but if it > is, its likely not portable between Java EE servers and quite tightly > coupled to CXF. > > All this being said, this thread has given me an idea - I'll experiment > with it and come back with an update. > > Jon > > > > > > On Thu, Jul 2, 2020 at 7:58 AM Lazar Kirchev <lazar.kirc...@gmail.com> > wrote: > > > Hello, > > > > Any update on this? > > > > Thanks, > > Lazar > > > > On Fri, Jun 12, 2020 at 9:26 AM Lazar Kirchev <lazar.kirc...@gmail.com> > > wrote: > > > > > Hello, > > > > > > Both TomEE 7.0.x and TomEE 7.1.x latest versions ship with CXF version > > > 3.1.18. However, CXF 3.1.x is not supported anymore and version 3.1.18 > > > (which is the last one) is from beginning of 2019 and has security > > > vulnerabilities (e.g. https://nvd.nist.gov/vuln/detail/CVE-2019-12423 > > and > > > https://nvd.nist.gov/vuln/detail/CVE-2019-17573). > > > Replacing the CXF version in TomEE 7.x with 3.2.x or 3.3.x does not > work > > > because these have incompatible changes in some interfaces which TomEE > > > implements for integrating CXF. > > > Do you have any plans to adopt new versions of CXF in TomEE 7.x? If not > > > any suggestions how to work this problem around? > > > > > > Thanks, > > > Lazar > > > > > >