CXF version in TomEE 7.x

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

CXF version in TomEE 7.x

lazarkirchev
Hello,

Both TomEE 7.0.x and TomEE 7.1.x latest versions ship with CXF version
3.1.18. However, CXF 3.1.x is not supported anymore and version 3.1.18
(which is the last one) is from beginning of 2019 and has security
vulnerabilities (e.g. https://nvd.nist.gov/vuln/detail/CVE-2019-12423 and
https://nvd.nist.gov/vuln/detail/CVE-2019-17573).
Replacing the CXF version in TomEE 7.x with 3.2.x or 3.3.x does not work
because these have incompatible changes in some interfaces which TomEE
implements for integrating CXF.
Do you have any plans to adopt new versions of CXF in TomEE 7.x? If not any
suggestions how to work this problem around?

Thanks,
Lazar
Reply | Threaded
Open this post in threaded view
|

Re: CXF version in TomEE 7.x

lazarkirchev
Hello,

Any update on this?

Thanks,
Lazar

On Fri, Jun 12, 2020 at 9:26 AM Lazar Kirchev <[hidden email]>
wrote:

> Hello,
>
> Both TomEE 7.0.x and TomEE 7.1.x latest versions ship with CXF version
> 3.1.18. However, CXF 3.1.x is not supported anymore and version 3.1.18
> (which is the last one) is from beginning of 2019 and has security
> vulnerabilities (e.g. https://nvd.nist.gov/vuln/detail/CVE-2019-12423 and
> https://nvd.nist.gov/vuln/detail/CVE-2019-17573).
> Replacing the CXF version in TomEE 7.x with 3.2.x or 3.3.x does not work
> because these have incompatible changes in some interfaces which TomEE
> implements for integrating CXF.
> Do you have any plans to adopt new versions of CXF in TomEE 7.x? If not
> any suggestions how to work this problem around?
>
> Thanks,
> Lazar
>
Reply | Threaded
Open this post in threaded view
|

Re: CXF version in TomEE 7.x

jgallimore
Sorry for the delayed reply.

Just a little bit of background on the TomEE branches:

Current master / TomEE 8, targets EE 8, and requires a minimum Java SE 8.
7.0.x targets EE7, and requires a minimum Java SE 7.
7.1.x also targets EE7, and is intended to be essentially the same as
7.0.x. It includes MicroProfile, which requires Java SE 8, so this version
of TomEE also requires Java SE 8.

As you point out, CXF 3.1.x is not supported by the community any more. We
can probably provide patches, and they may be merged, but they are unlikely
to cut a release for us. Moving to a more recent version, means that we
break the minimum Java SE 7 version on TomEE 7.0.x. If we just moved TomEE
7.1.x to a later version, end up with TomEE 7.0.x and 7.1.x diverging quite
a bit, which brings about the question of whether the 7.1.x branch is
worth keeping around.

TomEE 8 uses a more up to date version of CXF, so if migrating to TomEE 8
is an option for you, that's worth considering.

The CVE you specifically reference I'd need to specifically take a look at.
Its not flagging up against the version of CXF in 7.1.x for me here, so I'd
need to see where the JWK functionality was introduced. There's a couple of
other vulnerabilities in this version of CXF, such as CVE-2020-1954
and CVE-2019-12419 which shouldn't affect TomEE as those features of CXF
are not used by TomEE itself. Your application may be using them, but if it
is, its likely not portable between Java EE servers and quite tightly
coupled to CXF.

All this being said, this thread has given me an idea - I'll experiment
with it and come back with an update.

Jon





On Thu, Jul 2, 2020 at 7:58 AM Lazar Kirchev <[hidden email]>
wrote:

> Hello,
>
> Any update on this?
>
> Thanks,
> Lazar
>
> On Fri, Jun 12, 2020 at 9:26 AM Lazar Kirchev <[hidden email]>
> wrote:
>
> > Hello,
> >
> > Both TomEE 7.0.x and TomEE 7.1.x latest versions ship with CXF version
> > 3.1.18. However, CXF 3.1.x is not supported anymore and version 3.1.18
> > (which is the last one) is from beginning of 2019 and has security
> > vulnerabilities (e.g. https://nvd.nist.gov/vuln/detail/CVE-2019-12423
> and
> > https://nvd.nist.gov/vuln/detail/CVE-2019-17573).
> > Replacing the CXF version in TomEE 7.x with 3.2.x or 3.3.x does not work
> > because these have incompatible changes in some interfaces which TomEE
> > implements for integrating CXF.
> > Do you have any plans to adopt new versions of CXF in TomEE 7.x? If not
> > any suggestions how to work this problem around?
> >
> > Thanks,
> > Lazar
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: CXF version in TomEE 7.x

lazarkirchev
Hi Jon,

I have overlooked another reason why CXF cannot be updated in TomEE 7.x.
CXF 3.2 and 3.3 implement JAX-RS 2.1, which is part of Java EE 8 and it
would not be right to add this to TomEE 7.x which is supposed to implement
Java EE 7.

Lazar

On Thu, Jul 2, 2020 at 1:08 PM Jonathan Gallimore <
[hidden email]> wrote:

> Sorry for the delayed reply.
>
> Just a little bit of background on the TomEE branches:
>
> Current master / TomEE 8, targets EE 8, and requires a minimum Java SE 8.
> 7.0.x targets EE7, and requires a minimum Java SE 7.
> 7.1.x also targets EE7, and is intended to be essentially the same as
> 7.0.x. It includes MicroProfile, which requires Java SE 8, so this version
> of TomEE also requires Java SE 8.
>
> As you point out, CXF 3.1.x is not supported by the community any more. We
> can probably provide patches, and they may be merged, but they are unlikely
> to cut a release for us. Moving to a more recent version, means that we
> break the minimum Java SE 7 version on TomEE 7.0.x. If we just moved TomEE
> 7.1.x to a later version, end up with TomEE 7.0.x and 7.1.x diverging quite
> a bit, which brings about the question of whether the 7.1.x branch is
> worth keeping around.
>
> TomEE 8 uses a more up to date version of CXF, so if migrating to TomEE 8
> is an option for you, that's worth considering.
>
> The CVE you specifically reference I'd need to specifically take a look at.
> Its not flagging up against the version of CXF in 7.1.x for me here, so I'd
> need to see where the JWK functionality was introduced. There's a couple of
> other vulnerabilities in this version of CXF, such as CVE-2020-1954
> and CVE-2019-12419 which shouldn't affect TomEE as those features of CXF
> are not used by TomEE itself. Your application may be using them, but if it
> is, its likely not portable between Java EE servers and quite tightly
> coupled to CXF.
>
> All this being said, this thread has given me an idea - I'll experiment
> with it and come back with an update.
>
> Jon
>
>
>
>
>
> On Thu, Jul 2, 2020 at 7:58 AM Lazar Kirchev <[hidden email]>
> wrote:
>
> > Hello,
> >
> > Any update on this?
> >
> > Thanks,
> > Lazar
> >
> > On Fri, Jun 12, 2020 at 9:26 AM Lazar Kirchev <[hidden email]>
> > wrote:
> >
> > > Hello,
> > >
> > > Both TomEE 7.0.x and TomEE 7.1.x latest versions ship with CXF version
> > > 3.1.18. However, CXF 3.1.x is not supported anymore and version 3.1.18
> > > (which is the last one) is from beginning of 2019 and has security
> > > vulnerabilities (e.g. https://nvd.nist.gov/vuln/detail/CVE-2019-12423
> > and
> > > https://nvd.nist.gov/vuln/detail/CVE-2019-17573).
> > > Replacing the CXF version in TomEE 7.x with 3.2.x or 3.3.x does not
> work
> > > because these have incompatible changes in some interfaces which TomEE
> > > implements for integrating CXF.
> > > Do you have any plans to adopt new versions of CXF in TomEE 7.x? If not
> > > any suggestions how to work this problem around?
> > >
> > > Thanks,
> > > Lazar
> > >
> >
>