ESAPI support for Java 7 -- how important is it to you?

[Kevin W. Wall]

ESAPI community,

We urgently need your feedback. There are several transitive dependencies of ESAPI (some several levels removed) that are no longer being updated in a manner that they are usable with Java 7. Recently, one of these (Apache Commons IO) has reported a version in 2.7. (See https://nvd.nist.gov/vuln/detail/CVE-2021-29425 for details.) Version 2.7 only supports Java 8 or later, so even if we hadn't screwed up the latest 2.2.3.0 release and accidentally reverted to the default version of Apache Commons IO (which would be 1.6!), there would be no way for us to patch CVE-2021-29425.

Now chances are, if I took the time to do all the proper analysis (which can be quite detailed since in this case, I'd have to follow the vulnerability through 4 different FOSS libraries), this wouldn't be something that actually has an exploitable path as it is used by ESAPI. But if not this time, maybe the next time we wouldn't be so lucky.

So my question is, "How important is it for you and your company that ESAPI continues to support Java 7?". I suspect that most companies are no longer using Java 7 since it was end-of-life for standard support was back in April 2015.

My original plans were to continue to support Java 7 at least up through March 31, 2022, which seems to be the scheduled date for standard support for OpenJDK 8 will end. At that time, I had originally planned on dropping support for Java 7 and making Java 8 the minimal required version of Java and I was planning to announce this at least 6 months in advance. But because of things like this CVE that will not be patched for Java 7 or earlier, we have no resolution if we wish to continue supporting Java 7.

So, I understand if you don't wish to announce to these mailing lists that "yes, we still use Java 7", it's important that we know. Because if NO ONE still needs ESAPI support on Java 7, we might as well drop Java 7 support right now and make Java 8 our minimal baseline. Then we can address this new CVE now.

So if you are not comfortable replying to one of the lists, please reply privately to me, especially if you need ESAPI to continue support for Java 7.

Thanks,

-kevin

--

Blog: https://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.

[Kevin W. Wall]

I've received only one reply,  otherwise crickets. Is anyone out there?

-kevin