Saturday, March 23, 2013

WSO2 AS 5.1.0 Third-party Jar version updates



With the release of WSO2 Application Server (AS) 5.1.0 which is based on Carbon kernel 4.1.0, we have done major upgrades to the dependent jars used by WSO2 AS. Major upgrades include some long waited things like Servlet 3.0, JSP 2.2. Following is a list of upgraded versions of built-in jars inside WSO2 AS.


PackagePrevious versionNew Version
Tomcat Runtime 7.0.287.0.34
Servlet3.0
JSP 2.02.2
EL 1.02.2
JSTL 1.11.2
CXF Runtime 2.6.12.7.3


We have upgraded CXF runtime to 2.7.3 primarily because there were two new critical security advisories discovered. [1] [2] The WSO2 AS 5.0.0 and 5.0.1 has been shipped with CXF 2.6.1. So, users are advised to upgrade the WSO2 AS version or at least the CXF versions.

Tomcat version was upgraded from 7.0.28 because there were new security vulnerabilities discovered there. [3], [4], [5]

[1] -  http://cxf.apache.org/cve-2013-0239.html
[2] -  http://cxf.apache.org/cve-2012-5633.html

[3] -  CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter - https://mail-archives.apache.org/mod_mbox/tomcat-announce/201212.mbox/%3C50BE536F.6000705@apache.org%3E
[4] -  CVE-2012-3546 Apache Tomcat Bypass of security constraints - https://mail-archives.apache.org/mod_mbox/tomcat-announce/201212.mbox/%3C50BE5367.6090809@apache.org%3E
[5] -  CVE-2012-4534 Apache Tomcat denial of service - https://mail-archives.apache.org/mod_mbox/tomcat-announce/201212.mbox/%3C50BE535A.9000600@apache.org%3E