Hi CUBA Team and Community,
we recently ran a Dependency Check on our CUBA-based Application and identified several vulnerabilities (CVEs) within the underlying JARs of the framework modules.
To maintain our security compliance, we have identified potential fixes (version overrides) for several of these. However, we are concerned about potential problems that might occur if we implement those on our own.
Could you please review the table attached below and advise us on:
1.) Are there plans to relase a maintenance update for the platform that adresses the specific JARs?
2.) Is it possible for you to Update the Modules that are having vulnerability issues?
3.) If we apply the Proposed Fix listed below, can you confirm if these versions are known to be compatible or if they might break platform functionality?
Here is the code we use for the overrides:
allprojects {
configurations.all{
exclude group:'org.bouncycastle', module:'bcpkix-jdk15on'
exclude group:'org.bouncycastle', module:'bcprov-jdk15on'
exclude group:'org.bouncycastle', module:'bcprov-ext-jdk15on'
exclude group:'jline', module:'jline'
resolutionStrategy {
force 'org.apache.commons:commons-lang3:3.18.0'
force 'org.apache.commons:commons-compress:1.27.1'
force 'commons-beanutils:commons-beanutils:1.11.0'
force 'org.springframework:spring-tx:5.3.39'
force 'org.bouncycastle:bcpkix-jdk18on:1.80'
force 'org.bouncycastle:bcprov-jdk18on:1.80'
force 'org.bouncycastle:bcprov-ext-jdk18on:1.80'
force'org.jline:jline:3.29.0'
force 'org.owasp.esapi:esapi:2.4.0.0'
force'org.apache.velocity:velocity-engine-core:2.4.1'
force'org.apache.velocity:velocity-engine-scripting:2.4.1'
force'org.apache.santuario:xmlsec:2.2.6'
eachDependency {
DependencyResolveDetails details ->
if(details.requested.group == 'org.codehaus.groovy'){
details.useVersion('3.0.21')
}
if(details.requested.group == 'org.apache.ant'){
details.useVersion('1.9.16')
}
if(details.requested.group == 'org.springframework.security') {
details.useVersion('5.5.8')
}
}
}
}
}
CUBA Forum Tabelle.pdf (74.9 KB)