2.5.3.1

Major changes

ESAPI 2.5.3.1 is a minor point release that adds:

• Updated Javadoc for the Validator.isValidSafeHTML and ValidationRule.getValid methods.
• Adds an always-on log message (a single time only) if either of the isValidSafeHTML methods is invoked. The warning notes that the method is deprecated and provides a link to the GitHub Security Advisory.

Release Notes

The release notes for ESAPI release 2.5.3.1 are located at:

https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.3.1-release-notes.txt

Configuration files located in configuration jar

Note that the attached file "esapi-2.5.3.1-configuration.jar" contains the default ESAPI configuration files intended for used in production. Download the file and unjar it via 'jar xf'. After you unjar that configuration jar, look under the 'configuration/' directory. Most of the files you are interested in are located under 'configuration/esapi', such as ESAPI.properties, validation.properties, etc. The attached file "esapi-2.5.3.1-configuration.jar.asc" is a detached GPG signature of that the file "esapi-2.5.3.1-configuration.jar" that was signed by ESAPI project co-lead, Kevin W. Wall.

References

• GHSA-r68h-jhhj-9jvm was created and some partial, incomplete workarounds are discussed, but there is not patch available without major breakage of some client code. See Security Bulletin 12 for additional details.

2.5.3.0

Major changes

• The two Validator.isValidSafeHTML methods were deprecated. More details on this in GitHub Security Advisory GHSA-r68h-jhhj-9jvm.
• There is now a version of the ESAPI jar that should support the Jakarta Servlet API. See the release notes and the ESAPI GitHub wiki page Using ESAPI with Jakarta EE Servlet API Specification 5.0 and later for details.
• Updated to AntiSamy 1.7.4 which addresses CVE-2023-43643 , which really was not exploitable via ESAPI anyway. More details are in the release notes.

Release Notes

The release notes for ESAPI release 2.5.3.0 are located at:

• https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.3.0-release-notes.txt

Configuration files located in configuration jar

Note that the attached file "esapi-2.5.3.0-configuration.jar" contains the default ESAPI configuration files intended for used in production. Download the file and unjar it via 'jar xf'. After you unjar that configuration jar, look under the 'configuration/' directory. Most of the files you are interested in are located under 'configuration/esapi', such as ESAPI.properties, validation.properties, etc. The attached file "esapi-2.5.3.0-configuration.jar.asc" is a detached GPG signature of that the file "esapi-2.5.3.0-configuration.jar" that was signed by ESAPI project co-lead, Kevin W. Wall.

References

• GHSA-r68h-jhhj-9jvm was created and some partial, incomplete workarounds are discussed, but there is not patch available without major breakage of some client code. See Security Bulletin 12 for additional details.
• CVE-2023-43643 was addressed by the AntiSamy 1.7.4 upgrade. Even without this AntiSamy patch, ESAPI was not impacted.

The release notes contain a more complete list of what has changed / fixed in ESAPI 2.5.3.0.

2.5.2.0

Release Notes

The release notes for ESAPI release 2.5.2.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.2.0-release-notes.txt

Configuration files located in configuration jar

Note that the attached file "esapi-2.5.2.0-configuration.jar" contains the default ESAPI configuration files intended for used in production. Download the file and unjar it via 'jar xf'. After you unjar that configuration jar, look under the 'configuration/' directory. Most of the files you are interested in are located under 'configuration/esapi', such as ESAPI.properties, validation.properties, etc. The attached file "esapi-2.5.2.0-configuration.jar.asc" is a detached GPG signature of that the file "esapi-2.5.2.0-configuration.jar" that was signed by ESAPI project co-lead, Kevin W. Wall.

CVEs addressed

• CVE-2023-24998 was remediated. See Security Bulletin 11 for details.
• CVE-2023-26119 was remediated. It is not yet know if it impacted ESAPI.

The release notes contain a more complete list of what has changed / fixed in ESAPI 2.5.2.0.

2.5.1.0

Update summary

1. Updates to latest versions of direct dependencies, including:

• An update to AntiSamy: 1.7.0 --> 1.7.2
• An update to SLFJ4 API: 1.7.36 --> 2.0.4 (Note: 2.0.5 is available and likely would would result in "convergence" issues with the version AntiSamy 1.7.2 pulls in)

2. A new codec (org.owasp.esapi.codecs.JSONCodec) is provided that provides JSON output encoding as per section 7 of RFC 8259. It is made available via Encoder.encodeForJSON(). (Note unlike other encoders, there is no corresponding decoder (i.e., decodeForJSON()) made available. Since that would normally be done by your JavaScript code, it wasn't deemed essential.
3. Executing 'mvn site' now creates Javadoc for the ESAPI tag library (GitHub issue #733).

Details

For full details, please see the release notes for ESAPI release 2.5.1.0 located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.1.0-release-notes.txt

Note the file "esapi-2.5.1.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.5.1.0-configuration.jar.asc" is a GPG signature of that jar file made by 'Kevin W. Wall (GitHub signing key) kevin.w.wall@gmail.com'.

2.5.0.0

Release notes for ESAPI release 2.5.0.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt

IMPORTANT:

• This release drops all support for ESAPI Logging using Log4J 1 (except through SLF4J). If your ESAPI.Logger property is set to use Log4J and you do not change it, you will get obscure Exceptions or Errors thrown. (Generally an ExceptionInInitializerError.)
• Because we've upgraded to AntiSamy 1.7.0, there are also some potentially breaking changes in this release if you have customized your antisamy-esapi.xml file.
• As begun in the previous release, this release only supports Java 8 or later.

If you do nothing else at least read this short "Changes Requiring Special Attention" section of the 2.5.0.0 release notes. You have been warned!

Finally, note that the file "esapi-2.5.0.0-configuration.jar" (see below) contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.5.0.0-configuration.jar.asc" is a GPG signature of that jar file made by 'Kevin W. Wall (GitHub signing key) kevin.w.wall@gmail.com'.

2.4.0.0

Release notes for ESAPI release 2.4.0.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.4.0.0-release-notes.txt

IMPORTANT:

• This release is NOT compatible with Java 7. Java 8 or later is required to use this version of ESAPI. The ESAPi 2.3.0.0 release was the last release to support Java 7.
• This release of ESAPI fixes an older DoS vulnerability (CVE-2022-28366) that we were unable to patch while supporting Java 7 as the minimal JDK, as well as a newer DoS vulnerability (CVE-2022-29546) that previously did not have a CVE ID during our 2.3.0.0 release. ESAPI users might have seen either of these DoS vulnerabilities manifested via Validator.isValidSafeHTML() and Validator.getValidSafeHTML() in previous releases.

Finally, note that the file "esapi-2.4.0.0-configuration.jar" (see below) contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.4.0.0-configuration.jar.asc" is a GPG signature of that jar file made by 'Kevin W. Wall (GitHub signing key) kevin.w.wall@gmail.com'.

2.3.0.0

Full release notes for ESAPI release 2.3.0.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt

IMPORTANT Note: Because this release of ESAPI fixes several vulnerabilities, it is extremely important that you actually read the FULL release notes and the referenced GitHub Security Advisories. Failure to do so likely will cause previous ESAPI users to miss some critical remediation steps as remediation for CVE-2022-24891 involves more than simply upgrading your dependency to ESAPI 2.3.0.0.

Remediates

• CVE-2022-23457 - See details in this GitHub Security Advisory
• CVE-2022-24891 - See details in this GitHub Security Advisory
• Several vulnerabilities via update from AntiSamy 1.6.3 (in ESAPI 2.2.3.1) to AntiSamy 1.6.7 in this release. See the AntiSamy release notes for further details of the CVEs that were addressed. (Note that there was one CVE from AntiSamy that didn't affect ESAPI, but it was a moot point because CVE-2022-23891 issue in ESAPI's antisamy-esapi.xml file.)

Finally, to fully remediate CVE-2022-23891, note that the file "esapi-2.3.0.0-configuration.jar" (see below) contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.3.0.0-configuration.jar.asc" is a GPG signature of that jar file made by 'Kevin W. Wall (GitHub signing key) kevin.w.wall@gmail.com'. You NEED this jar (or a manual change) to get the important update to the antisamy-esapi.xml file.

2.2.3.1

Release notes for ESAPI release 2.x.y.z are located at:
        https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.3.1-release-notes.txt
This was a very minor point release.

Note the file "esapi-2.2.3.1-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.2.3.1-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall.

See also Security Bulletin 5 (https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin5.pdf) for a description of why CVE-2021-29425 is NOT exploitable via ESAPI.

ESAPI 2.2.3.0

This is a patch release with the primary intent of updating some dependencies, some with known vulnerabilities. Main update are:
-- AntiSamy, from 1.5.11 to 1.6.2.
-- As a result of the AntiSamy upgrade, the transitive dependency xercesImpl was updated from 2.12.0 to 2.12.1 which should address CVE-2020-14338.
-- Apache batik-css, updated from 1.13 to 1.14.

See the ESAPI 2.2.3.0 release notes for details.

Note the configuration jar and its detached signature are also attached. Also note that the 2 security advisories are (sort of) relevant if you are either using ESAPI's deprecated log4j 1.x logging or are concerned about your SCA tools popping up warnings about ESAPI:

• Security Advisory 3
• Security Advisory 4

2.2.2.0

Release notes for ESAPI release 2.2.2.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.2.0-release-notes.txt
If you are updating from ESAPI 2.2.0.0 or earlier, be especially sure to read the release notes section "Changes Requiring Special Attention" as it describes what needs to be down to get ESAPI logging to work.

Lastly, be sure to also read Security Bulletin #3 at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin3.pdf

Note the file "esapi-2.2.2.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.2.2.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin Wall.