New ESAPI release (2.4.0.0) available -- this is first Java 8 release; does not support Java 7!!!

[Kevin W. Wall]

Details

For further details, see https://github.com/ESAPI/esapi-java-legacy/releases/tag/esapi-2.4.0.0  and the detailed release notes referenced therein.

Known CVEs

As far as the ESAPI team is aware, this release remediates the last known exploitable vulnerability in ESAPI. There are 6 known Log4J 1 vulnerabilities flagged by most SCA tools, but the ESAPI team has analyzed these and believe that none of them are exploitable when using ESAPI in it's default configuration. And even if you were to use Log4J 1 logging (which we strongly recommend against!), as long as you restrict the Log4J 1.x Appender to ConsoleAppender or to FileAppender, there should be no exploitable issues.

Note that Log4J 1 has been deprecated from ESAPI for over 1.5 years and come mid-June 2022, we will be completely dropping it from the future ESAPI releases, so if you are still using it, please move off of it ASAP. There currently are known ESAPI Security Bulletins covering all 6 of the known Log4J 1 CVEs that many SCA tools are still flagging as vulnerable. The security bulletins tells you how you can exclude the log4j-1.2.17.jar in a manner that most of the SCA tools with a clue should stop complaining. Note that there currently is no Security Bulletin to cover CVE-2022-23307 that relates to Apache Chainsaw. ESAPI does not use Apache Chainsaw, so it is not directly exploitable via this CVE, but if you have ESAPI configured to use Log4J 1 and are using Apache Chainsaw (which is a GUI log viewer), then you may be susceptible to this vulnerability. Security Bulletin 10 will cover this CVE.

Acknowledgements

• The AntiSamy team for getting 1.6.8 released.
• Matt Seil for doing the majority of this release process.
• Jeremiah Stacey for working on the PR that made most of this possible.

Further Questions?

As always, if you have questions, please either send an email to one of these mailing lists (as appropriate), or send the ESAPI project co-leaders (Matt and Kevin) an email or (if you must) post it to Stack Overflow and tag it as #esapi. But DO NOT submit questions via GitHub issues (unless they are part of a bug report) as we will no longer respond to questions submitted as GitHub issues.

-kevin

--

Blog: https://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.