ANNOUNCEMENT: ESAPI patch release 2.2.3.1 and why CVE-2021-29425 is not exploitable

[Kevin W. Wall]

ESAPI 2.2.3.1 was just pushed to Maven Central last evening. It is a very minor patch release to update some direct and transitive dependencies. It updates:

• AntiSamy from 1.6.2 to 1.6.3
• Apache Commons IO from 1.3.1 to 2.6
  

Release notes are at:\

https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.3.1-release-notes.txt

Please also read Security Bulletin 5 at:

https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin5.pdf

which explains why CVE-2021-29425 is not exploitable via ESAPI or AntiSamy. It also describes a workaround you can use (if your application is using Java 8 or later) to make any SCA scans stop complaining about that CVE.

Lastly, if you haven't taken the time to respond to "ESAPI support for Java 7 -- how important is it to you?" at

https://groups.google.com/a/owasp.org/g/esapi-project-users/c/BwrxBOD5Ev8

please take a moment to do so. If no one still needs Java 7, it is absolutely pointless to make me fight these battles and write up needless security bulletins when instead we could just be updating to a patched version. But because so many patches now require using Java 8, this is eliminating ESAPI's ability to remediate these things.

-kevin

--

Blog: https://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.