Hi,
We have a large application deployed as a WAR (bundling Lucee and necessary Extensions) onto Tomcat at various on-prem clients (global investment banks). One of these clients is subjecting the WAR to deep scanning as part of their release pipeline and blocking a production release due to a number of Critical and High findings in Lucee or Extensions (i.e. under WEB-INF). We’ve been able to address most of these but are left with one significant challenge with the ESAPI Extension (latest 2.2.4.15); unavoidable in the application as it stands. We’re deploying with Lucee 5.n still but evaluation of Lucee 6.n has provided no solution.
org.lucee.esapi-2.2.3.10006L.jar and CVE-2022-23457 is being flagged as Critical and blocker.
Evidence suggests that org.lucee.esapi-2.2.3.10006L.jar contains org.owasp.esapi 2.2.3.1 and which has two CVEs against it including CVE-2022-23457. There is no later version of the ESAPI Extension (nor any evidence of a fix for this in GitHub). Has anyone come up against this challenge before or established documentation to evidence as a false-positive?
com.google.guava-30.1.0.jre.jar, also bundled in the ESAPI Extension and with CVEs against it, is also raising findings although not currently a blocker; still a significant concern however.
From luceeserver.atlassian.net I believe there are updates to ESAPI Extension planned but this has been bumped along for a couple of years and seems to have gone stale. Is the only solution to avoid the Extension and refactor a significant amount of code?
Thanks for any advice,
Inigo
OS: RHEL 7 / RHEL 8
Java Version: 11.n
Tomcat Version: 9.n
Lucee Version: 5.4.5.23 / 6.0.1.83