We are trying to mitigate the laetst log4j vulnerability in our application our scans show that jetty-hightide-7.6.1.v20120215/webapps/cometd.war is using the older version of log4j that is log4j.1 need help in ways to mitigate this.
Can we delete it from the webapps.
Your use of jetty-hightide-7.6.1.v20120215 has far more vulnerabilities present than just cometd.
Jetty 7.x
Jetty 7.x was declared EOL (End of Life) back in 2014.
https://www.eclipse.org/jetty/security_reports.php
Log4j 1.x
Log4j 1.x was declared EOL back in 2015.
https://logging.apache.org/log4j/1.2/
Along with 10 years of security updates to the following other projects present in your ancient jetty-hightide archive.
objectweb asm 3.1
javax.annotations 1.1
derby 10.6
javax.activation 1.1
glassfish mail 1.4
sun el 1.0
javax.el 2.1
jstl 1.2
jsp 2.1
glassfish jasper 2.1
glassfish taglibs 1.2
eclipse jdt 3.7
javax.transactions 1.1
atomikos 3.7
jna 3.2.2
setuid native 7.6
spring framework 2.5
cometd 2.4.0.RC3
jackson 1.9
log4j 1.2
bayeux 2.4
dojo 1.7
dojox 1.7
dojiit 1.7
jquery 1.6
Every one of the items listed above have security vulnerabilities associated with them in the past 10 years, every one of them need to be evaluated. (many of the vulnerabilities are actually quite severe, on par with the log4j one you are specifically chasing)
Related
Our application needs to support Tomcat 10.
We are migrating the code to Jakarka EE 9, but due to HazelCast we are blocked.
When can we expect the HazelCast jakarta EE migration??
Details:
We are evaluating to support Tomcat 10 in our product. To start it, we initially try to use Servlet 5.0 spec as Tomcat 10 supports Servlet 5.0 specification.
The Servlet 5.0 version migrated the classes to Jakarta.servlet.* from javax.servlet.. So, most of our java code have been migrated to Jakarta EE9.
But, in the middle we come to know that the HazelCast versions not compatible with Jakarta EE.
The internal classes of HazelCast still references to javax.servlet. from Servlet 3.0 specification.
So as a result, we got compile time issues as well.
Does the HazelCast compatible with Tomcat 10??
I want to migrate an application from Wildfly 8 to the latest Wildfly 18. The web application uses the following frameworks: hibernate 3, seam 2.2, JSF 1.2, and Richfaces 3.3.3. Since hibernate 3 isn't supported anymore in Wildfly, we need to migrate to hibernate 4 which isn't compatible with Seam 2.2. Thus, we have to migrate to Seam 2.3 and this leads to migrating to JSF 2.3 (Wildfly modules) and to Richfaces 4.
My project is an ear that contains inside it a war folder.
For JSF, I am using the supported module by Wildfly both com.sun.faces.impl and javax.faces.api. I also added jsf-facelets-1.1.15.jar as a jar under web-inf/lib.
For hibernate, I included the following jars in my ear: hibernate-commons-annotations-4.0.5.Final.jar, hibernate-core-4.3.11.Final.jar, and hibernate-entitymanager-4.3.11.Final.jar.
For seam, I included the seam jars: jboss-seam.jar, jboss-seam-debug.jar, ...
For Richfaces, I included the following libraries under the war folder: richfaces-a4j-4.5.17.Final.jar, richfaces-core-4.5.17.Final.jar, and richfaces-rich-4.5.17.Final.jar. I also included their dependencies.
I am still getting this error which I am not able to debug: Unsupported Operation Exception.
Did anyone encountered this issue ? And do you know if Seam 2.3 is still supported by the latest Wildfly especially that on Seam documentation, they gave the project examples on Jboss As 7?
Thank you for your help.
The migration you are trying to achieve will result in a non-supported environment as well.
From http://seamframework.org/
Seam Moving Forward
As many of you may be aware, there have been a number of changes
within Seam over the past year. Here is a quick highlight of the
changes and how they may affect you and your application.
Seam 2
Seam 2.2 targets JBoss AS 5 and 6 as well as JBoss Enterprise
Application Platform 5 - Java EE 5 based architecture Seam 2.3 targets
Java EE 6 capabilities such as JSF2 and JPA2 on the JBoss Enterprise
Application Platform 6 - Seam 2.3 also supports RichFaces 4 which is
also available for commercial support via Web Framework Kit. If you
are looking for the long-term support with a service level agreement
of Seam 2.2 and/or Seam 2.3 then please contact us at
http://www.redhat.com/contact/sales.html Seam 2.3 is part of Web
Framework Kit, included as part of the JBoss Enterprise Application
Platform subscription .
Seam 2.3 was released in September 2012. This is an update to the Seam
2 code base to make it compatible with Jave EE 6. It runs well on
JBoss AS 7.
Seam 3
Active development of Seam 3 has been halted by Red Hat. Many projects
have moved over to Apache DeltaSpike , and others have been absorbed
into different projects. Please see the below table for information
about where the functionality from each module has gone and how you
can participate.
So no, it does not support WildFly 18 (Java EE 8)
Richfaces is 'dead' (sunset) for 4 years now. https://developer.jboss.org/wiki/RichFacesEnd-Of-LifeQuestionsAnswers
JSF 2.x has facelets built-in, so no need to include them. (Causes problems even)
Wildfly 18 has JPA2 built-in so no need to include hibernate manually (Might cause problems even)
Also read https://docs.jboss.org/seam/2.3.0.Final/reference/en-US/html/migration23.html
Switching to using
PrimeFaces (fully html 5, css3 etc compliant)
JPA2
CDI (with Deltaspike)
OmniFaces
OptimusFaces
is a way better thing to do (Although JSF is 'old' compared to e.t.c. Angular it is still modern when combined with the above technologies and more stable).
I'm trying to upgrade from JSF 2.2 to 2.4 in Netbeans 11.0.
I downloaded the binaries and added it as a new library:
But when I look into the properties of my project, I still see the old JSF versions 1.2 and 2.2:
Is adding it as a Maven dependency the only way to upgrade? I wanted to upgrade it globally, for all (future) projects.
I'm using Java EE 8 with Payara Server 5.192.
JSF 2.4 does not exist as an official API at all. Do not use it. Currently latest official version is 2.3 and the next one will be 3.0 which will be released as part of Jakarta EE 9 (which is essentially exactly the same as 2.3, but then with the package renamed from javax.faces to jakarta.faces).
See also the blog article Do not use org.glassfish Mojarra 2.4.0! written by yours truly.
No, JSF 2.4 is not there yet. Technically speaking, Mojarra 2.4.0 represents the latest state of the master branch as it was during the transfer from Oracle to Eclipse. That transfer took place when JSF 2.3 specification was already released and JSF 2.4 specification has still to be started yet. JSF 2.4 is far from being a beta, let alone a reasonable snapshot. And yet there is a Mojarra 2.4.0 in Maven instead of e.g. a Mojarra 2.4.0-M1. As per the agreement between Oracle and Eclipse, it was necessary to release the latest work on Mojarra under Oracle's umbrella into Maven Central before the transfer to Eclipse was completed. And later Eclipse will do the same after the transfer is completed so that the integrity can be validated by the public. Using version "2.4.0" is indeed way too confusing for the public, because does actually not at all represent a real "2.4.0" version, but it is what it is.
As to your specific problem with Netbeans, you need to upgrade it to see "JSF 2.3" as an option in its built-in dropdown. Alternatively you can also just ignore it and write JSF 2.3 targeted code yourself instead of letting the IDE autogenerate it. That's basically what that "JSF 2.3" option is doing. Autogenerating the suitable JSF 2.3 faces-config.xml file and such. But you as a programmer of course can easily write code yourself based on official documentation.
I would like to upgrade my JSF 1.2 application to JSF 2.2. What's the minimum required Tomcat version for JSF 2.2? I'm currently using Tomcat 5. Is it possible to run JSF 2.2 on it?
JSF 2.2 requires a Servlet 3.0 compatible container, mainly because of the new <h:inputFile> component which requires container-native file upload support. This was only introduced in Servlet 3.0.
If you check the Tomcat versions overview, then you'll see that you need minimally Tomcat 7.x in order to have a Servlet 3.0 compatible container.
So what's the latest version I can update JSF to?
You're not terribly clear on the exact Tomcat version you're currently using (5.0.x vs 5.5.x is quite a difference), but if it is Tomcat 5.5.x, then you could run JSF 2.0/2.1 on it if you supply a custom EL 2.1 compatible implementation along the webapp itself. See also the answer on Running JSF 2.0 on Servlet 2.4 container.
I have a project in JSF 1.2 and ICEfaces 1.8.
I have started the upgrade process to JSF 2.0 and ICEfaces 2.0 based on this tutorial
I've DELETED old JSF and ICEfaces jars from my project and copied the new ones from icefaces 2 libs.
When I start JBoss I clearly see that JSF 2.0 jars are loaded but I do not understand why it still loads the ICEfaces 1.8 lib.
15:37:07,431 INFO [config] Initializing Mojarra (1.2_12-b01-FCS) for context '/
admin-console'
15:37:09,012 INFO [D2DViewHandler]
ICEsoft Technologies, Inc.
ICEfaces 1.8.2
Build number: 7
Revision: 19321
15:37:09,089 WARN [D2DViewHandler] JSF 2.0 libraries detected. This version of
ICEfaces is not supported on JSF 2.0. JSF 1.1 or 1.2 are required.
Do you see any reason?
Thanks.
Seems that I have not actually deleted all the old jars. Fixed now.