Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jaxws-ri 3.x are vulnerable #654

Open
aagrawal3 opened this issue Jun 23, 2023 · 7 comments
Open

jaxws-ri 3.x are vulnerable #654

aagrawal3 opened this issue Jun 23, 2023 · 7 comments

Comments

@aagrawal3
Copy link

This is with reference to vulnerabilities present in 3.x version of https://mvnrepository.com/artifact/com.sun.xml.ws/jaxws-ri
Is there a plan to provide patch release on top of 3.0.2 to address the vulnerable packages? If yes, please help us with a timeline.

There is an option to switch to 4.x but these are only compatible with JDK11.
@arjantijms
Copy link
Contributor

There is an option to switch to 4.x but these are only compatible with JDK11.

I think they are compatible with the current JDK 17 as well, so there's no need to avoid it?

@aagrawal3
Copy link
Author

Perhaps yes. I haven't checked the compatibility with JDK17.
3.x is compatible with JDK8 while 4.x is not. Switching to 4.x would require upgrade in JDK version which is highly inconvenient.

@lukasj
Copy link
Member

lukasj commented Jun 23, 2023

it's safe to use newer version of woodstox 6.5.1, which is an external dependency

@aagrawal3
Copy link
Author

aagrawal3 commented Jun 23, 2023
edited

it's safe to use newer version of woodstox 6.5.1, which is an external dependency

We are doing it as a workaround. Excluding woodstox-core from jaxws-ri:3.0.2 and compiling our build higher version of woodstox-core. We were worried about breaking something (unintentionally). It would be nicer to have an official 3.x patch release (with updated woodstox-core) on maven central.

@arjantijms
Copy link
Contributor

Switching to 4.x would require upgrade in JDK version which is highly inconvenient.

The trick, in general, is to not perceive upgrading JDK versions as inconvenient, and specifically not as highly inconvenient.

I know it's very general advice, but when you keep updating to every JDK version every time a new one comes out, you will often safe yourself a lot of trouble.

@aagrawal3
Copy link
Author

I know it’s very general advice, but when you keep updating to every JDK version every time a new one comes out, you will often safe yourself a lot of trouble.

Yes, I agree it is a good practice. Unfortunately for us, it is not a feasible option in near future. We need to make sure that we are not breaking backward compatibility in our products until we provide users enough time to migrate. Since JDK8 is in support till 2030 and in use by a large codebase, moving away from JDK8 creates a very big technical debt. Thats why I used the term inconvenient.

@arjantijms
Copy link
Contributor

I hear you, though one additionally thing to comment on:

moving away from JDK8 creates a very big technical debt.

Moving away from JDK8 solves a very big technical debt, since JDK8 (in your case, but many other cases I assume too), IS the technical debt. The fact that you for some reason or the other MUST stay on an ancient version and are prevented from updating to even an old version (let alone a recent version) is the very definition of technical debt ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lukasj @arjantijms @aagrawal3