0 Replies Latest reply on Feb 21, 2018 8:57 AM by rmg_hrr

    Ugrade from seam 2.3.1.Final to 2.3.4.Final-redhat-1


      We are thinking to change the seam dependency in application from

      2.3.1.Final to 2.3.4.Final-redhat-1. is this advisable and what are its implications?


      A security report flagged one of the application where Seam 2.3.1.Final is used with below vulnerabilities.


      [RHSA-2014:0045-01] Moderate: Red Hat JBoss Web Framework Kit 2.4.0 upda

      1044784 - CVE-2013-6447 JBoss Seam: XML eXternal Entity (XXE) flaw in remoting

      1044794 - CVE-2013-6448 JBoss Seam: Information disclosure in remoting


      our application does not use Web Framework Kit jars from Redhat but it has some seam dependencies referred from maven repo.