ESAPI support for Java 7 -- how important is it to you?

[Kevin W. Wall]

ESAPI community,

We urgently need your feedback. There are several transitive dependencies of ESAPI (some several levels removed) that are no longer being updated in a manner that they are usable with Java 7. Recently, one of these (Apache Commons IO) has reported a version in 2.7. (See https://nvd.nist.gov/vuln/detail/CVE-2021-29425 for details.) Version 2.7 only supports Java 8 or later, so even if we hadn't screwed up the latest 2.2.3.0 release and accidentally reverted to the default version of Apache Commons IO (which would be 1.6!), there would be no way for us to patch CVE-2021-29425.

Now chances are, if I took the time to do all the proper analysis (which can be quite detailed since in this case, I'd have to follow the vulnerability through 4 different FOSS libraries), this wouldn't be something that actually has an exploitable path as it is used by ESAPI. But if not this time, maybe the next time we wouldn't be so lucky.

So my question is, "How important is it for you and your company that ESAPI continues to support Java 7?". I suspect that most companies are no longer using Java 7 since it was end-of-life for standard support was back in April 2015.

My original plans were to continue to support Java 7 at least up through March 31, 2022, which seems to be the scheduled date for standard support for OpenJDK 8 will end. At that time, I had originally planned on dropping support for Java 7 and making Java 8 the minimal required version of Java and I was planning to announce this at least 6 months in advance. But because of things like this CVE that will not be patched for Java 7 or earlier, we have no resolution if we wish to continue supporting Java 7.

So, I understand if you don't wish to announce to these mailing lists that "yes, we still use Java 7", it's important that we know. Because if NO ONE still needs ESAPI support on Java 7, we might as well drop Java 7 support right now and make Java 8 our minimal baseline. Then we can address this new CVE now.

So if you are not comfortable replying to one of the lists, please reply privately to me, especially if you need ESAPI to continue support for Java 7.

Thanks,

-kevin

--

Blog: https://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.

[Kevin W. Wall]

I've received only one reply,  otherwise crickets. Is anyone out there?

-kevin

[AKHILA VENU]

Hi Kevin,

Our project is bound to Java 7, We would need Java7 support.

Thanks,

Akhila

[Kevin W. Wall]

Okay,  thanks for letting me know Akhila.

I can't promise how long we'll keep on supporting it. Certainly if a serious vulnerability comes up that has an exploitable path in ESAPI and the only patch is for dependency only supporting Java 8, we could be forced into a predicament where the only choice is to upgrade to Jave 8 and patch or decide to live with it (assuming no reasonable workaround is viable).

I had originally planned on supporting Java 7 up through when standard support for Java 8 ends (which I was thinking was April or May next year), but if this fire drill happens again we are prepared to move that transition date up to Jan 1, 2022. All of you ESAPI users should get off Java 7 ASAP because we are not going to be able to support Java 7 indefinitely. 

-kevin

On Tue, May 11, 2021, 12:54 AM AKHILA VENU <venuakh...@gmail.com> wrote:

Hi,

Yes , We still use Java7 and would need the support.

Thanks,

Akhila

On Tuesday, May 4, 2021 at 7:20:47 AM UTC+5:30 kevin....@gmail.com wrote:

--
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/7e272f05-e47d-46e7-963e-a74acedb06ffn%40owasp.org.