What is correct version to use for javax implementation?

[bbhansali1]

We are trying to remediate all the vulnerabilities on Struts 1.2.9.
But when trying to upgrade to 1.5.0-RC1 we found that it is using jakarta and not javax.
Can you please help us understand why the namespaces were changed from javax to jakarta and what is the correct version to use if we are using javax. and does that javax supported version address all the vulnerabilities?

[ste-gr]

Hi @bbhansali1,

The Struts-version 1.5+ is for JakartaEE 9+ where the namespace is changed from javax to jakarta.
The Struts-version 1.4.x (currently 1.4.5) is for JakartaEE 8, where the namespace is unchanged (javax). So this version should be for you.

Hint: The only difference between 1.4.x and 1.5.x will be the namespace.

And yes, the version 1.4.5 also address all the vulnerabilities, which you will find in the README. The newest vulnerability CVE-2023-49735 / #23 - Apache Tiles: Unvalidated input may lead to path traversal and XXE will also be resolved in the near future.

I hope I could help you
Greetings
Stefan

[bbhansali1]

Thanks @ste-gr, this info helps a lot.
Any tentative ETA for remediation of CVE-2023-49735?

Thanks,
Bharat

[ste-gr]

Hi @bbhansali1,

I'll try to fix it in the next 2 to 3 week (18.02.2024). The CVE-2023-49735 only occurs if you use struts-tiles or struts-tiles2.

Greetings
Stefan

[ste-gr]

Hi @bbhansali1,

I think CVE-2023-49735 is fixed with 41a0343.
The next version (1.5.0-RC2) with this fix will be released in the next days.
And the javax-version (1.4.6) will follow a few days later.

Greetings
Stefan

[bbhansali1]

hi @ste-gr - any update if we are fixing this in 1.4.x releases?

[ste-gr]

Hi @bbhansali1,

I would like to sync version 1.4.6 with 1.5.0-RC so that the only differences is the namespace and versions-numbers of the config-files. If you could do this, it would help me.

Greetings
Stefan