metro-jax-ws icon indicating copy to clipboard operation
metro-jax-ws copied to clipboard

Published 20 hours ago verified publisher icon eclipse-ee4j

jaxws-ri 3.x are vulnerable

Open aagrawal3 opened this issue 1 year ago • 7 comments

This is with reference to vulnerabilities present in 3.x version of https://mvnrepository.com/artifact/com.sun.xml.ws/jaxws-ri Is there a plan to provide patch release on top of 3.0.2 to address the vulnerable packages? If yes, please help us with a timeline.

There is an option to switch to 4.x but these are only compatible with JDK11.

aagrawal3 avatar Jun 23 '23 09:06 aagrawal3

There is an option to switch to 4.x but these are only compatible with JDK11.

I think they are compatible with the current JDK 17 as well, so there's no need to avoid it?

arjantijms avatar Jun 23 '23 11:06 arjantijms

Perhaps yes. I haven't checked the compatibility with JDK17. 3.x is compatible with JDK8 while 4.x is not. Switching to 4.x would require upgrade in JDK version which is highly inconvenient.

aagrawal3 avatar Jun 23 '23 11:06 aagrawal3

it's safe to use newer version of woodstox 6.5.1, which is an external dependency

lukasj avatar Jun 23 '23 11:06 lukasj

it's safe to use newer version of woodstox 6.5.1, which is an external dependency

We are doing it as a workaround. Excluding woodstox-core from jaxws-ri:3.0.2 and compiling our build higher version of woodstox-core. We were worried about breaking something (unintentionally). It would be nicer to have an official 3.x patch release (with updated woodstox-core) on maven central.

aagrawal3 avatar Jun 23 '23 11:06 aagrawal3

Switching to 4.x would require upgrade in JDK version which is highly inconvenient.

The trick, in general, is to not perceive upgrading JDK versions as inconvenient, and specifically not as highly inconvenient.

I know it's very general advice, but when you keep updating to every JDK version every time a new one comes out, you will often safe yourself a lot of trouble.

arjantijms avatar Jun 23 '23 14:06 arjantijms

I know it’s very general advice, but when you keep updating to every JDK version every time a new one comes out, you will often safe yourself a lot of trouble.

Yes, I agree it is a good practice. Unfortunately for us, it is not a feasible option in near future. We need to make sure that we are not breaking backward compatibility in our products until we provide users enough time to migrate. Since JDK8 is in support till 2030 and in use by a large codebase, moving away from JDK8 creates a very big technical debt. Thats why I used the term inconvenient.

aagrawal3 avatar Jun 26 '23 05:06 aagrawal3

I hear you, though one additionally thing to comment on:

moving away from JDK8 creates a very big technical debt.

Moving away from JDK8 solves a very big technical debt, since JDK8 (in your case, but many other cases I assume too), IS the technical debt. The fact that you for some reason or the other MUST stay on an ancient version and are prevented from updating to even an old version (let alone a recent version) is the very definition of technical debt ;)

arjantijms avatar Jun 27 '23 18:06 arjantijms