[jira] [Created] (AXIS2-5917) Vulnerabilities found in Axis2 with the use of Geronimo

Discussion:

David Moriconi (JIRA)

2018-06-01 11:58:00 UTC

David Moriconi created AXIS2-5917:
-------------------------------------

Summary: Vulnerabilities found in Axis2 with the use of Geronimo
Key: AXIS2-5917
URL: https://issues.apache.org/jira/browse/AXIS2-5917
Project: Axis2
Issue Type: Bug
Reporter: David Moriconi

Axis2 use a version of Geronimo library that contains multiple vulnerabilities. ([https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=geronimo)]

There is a latest version of Geronimo that addresses some of these vulnerabilities which is not included in the latest version of Axis2 (1.7.8)

Can you please advise us about this. Are the vulnerabilities exposed in Axis2. If so, how can we address them.

Thank you

--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-***@axis.apache.org
For additional commands, e-mail: java-dev-***@axis.apache.org

robert lazarski (JIRA)

2018-06-01 13:30:00 UTC

Permalink

[ https://issues.apache.org/jira/browse/AXIS2-5917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16497984#comment-16497984 ]

robert lazarski commented on AXIS2-5917:
----------------------------------------

There was a Geronimo Application Server project however development stopped years ago. Keep that in mind when looking at Geronimo CVE's.

Separately, Geronimo continues to provide implementations of Java specs and Axis2 distributes the following jars. I see no related issues on these in the link provided.

./axis2-1.7.8/lib/geronimo-ws-metadata_2.0_spec-1.1.2.jar
./axis2-1.7.8/lib/geronimo-jta_1.1_spec-1.1.jar
./axis2-1.7.8/lib/geronimo-saaj_1.3_spec-1.0.1.jar
./axis2-1.7.8/lib/geronimo-stax-api_1.0_spec-1.0.1.jar
./axis2-1.7.8/lib/endorsed/geronimo-jaxws_2.2_spec-1.0.jar
./axis2-1.7.8/lib/endorsed/geronimo-saaj_1.3_spec-1.0.1.jar
./axis2-1.7.8/lib/geronimo-annotation_1.0_spec-1.1.jar
./axis2-1.7.8/lib/geronimo-jaxws_2.2_spec-1.0.jar

Post by David Moriconi (JIRA)
Vulnerabilities found in Axis2 with the use of Geronimo
-------------------------------------------------------
Key: AXIS2-5917
URL: https://issues.apache.org/jira/browse/AXIS2-5917
Project: Axis2
Issue Type: Bug
Reporter: David Moriconi
Priority: Major
Axis2 use a version of Geronimo library that contains multiple vulnerabilities. ([https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=geronimo)]
There is a latest version of Geronimo that addresses some of these vulnerabilities which is not included in the latest version of Axis2 (1.7.8)
Can you please advise us about this. Are the vulnerabilities exposed in Axis2. If so, how can we address them.
Thank you

--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-***@axis.apache.org
For additional commands, e-mail: java-dev-***@axis.apache.org

robert lazarski (JIRA)

2018-09-11 14:43:00 UTC

Permalink

[ https://issues.apache.org/jira/browse/AXIS2-5917?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

robert lazarski closed AXIS2-5917.
----------------------------------
Resolution: Not A Problem