Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    [no vulnerability] Vulnerable jar velocity-1.7.jar in SmartClient_v121p_2024-10-20_Enterprise

    There is security vulnerability CVE-2020-13936 in velocity-1.7.jar.
    1. Does SmartClient venerable? If this is not vulnerable, can you explain why?
    2. According to IBM security policy, we must remove the vulnerable jar even the product is not vulnerable. Is there a new version of SmartClient without this vulnerable jar?

    #2
    I need the answer urgently. Please reply

    Comment


      #3
      Hello, see this post: https://forums.smartclient.com/forum...-vulnerability

      Comment


        #4
        I am not satisfy the response in the previous thread "This does not apply to the SmartGWT framework, because we do not provide an ability to for untrusted end users to upload Velocity templates." We are asking a new version without the vulnerable jar. Some of our customers insist that the vulnerable jar should not be in the system

        Comment


          #5
          There is no vulnerability to fix, but if you are forced to do unnecessary work by your policies, then the best approach is to upgrade to the latest SmartGWT. That version is likewise not vulnerable, but no longer uses the jar that does not cause a vulnerability either, but that someone is afraid of.

          Comment


            #6
            SmartGWT is a totally different from SmartClient. We can't just switch to it.
            1. What is consequence if we just remove the jar?
            2. Can you replace it with a higher version jar without the vulnerability?

            Comment


              #7
              So just to emphasize: there is no vulnerability, and in reality there is nothing that you need to do. There is also no need to switch from SmartClient to SmartGWT.

              Both we and a community member correctly pointed out that neither SmartGWT nor SmartClient are vulnerable here - when it comes to the backend, these technologies are identical, so it doesn't matter which name is used, and no "porting" is required.


              Now, if, for political reasons, you absolutely must get rid of this .jar even though there is no vulnerability, removing the .jar will not work. Replacing the .jar with a newer .jar also will not work, because the new version of Velocity didn't just fix this problem, it moved a bunch of APIs around in a non-backwards-compatible way.


              However, versions of SmartClient/SmartGWT that use an updated .jar have been available for over 3 years. As was explained here (and elsewhere), version 13.0 and later have a more recent .jar:

              https://forums.smartclient.com/forum...es-in-smartgwt

              In general, when upgrading to a new version, we do recommend updating to the latest available. So, if you are forced to do a quick upgrade for political reasons, we would recommend 14.0 or 14.1. These two releases differ only in javax vs Jakarta namespaces.

              They are also both fully backwards compatible with your current version (12.1) modulo only certain very minor things mentioned in the Release Notes, which almost no customer will hit.

              So just to sum up:

              1. the best path is to do nothing, since there is no vulnerability

              2. the second best path is just to update SmartClient, which is backwards compatible

              Comment

              Working...
              X