Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Exclude struts-core-1.3.8.jar from the maven dependencies

Description

There is a vulnerability reported on struts-core-1.3.8.jar. And this is coming as part of the org.apache.velocity.velocitytools dependency. 

Steps followed to mitigate the vulnerability:

  1. Manually removed the struts-core-1.3.8.jar from the openmrs env.

  2. Restarted the openmrs service.

Application started working fine without any issues, and we tested the basic flows. Everything looks fine. 

Raised talk thread for the same.

https://talk.openmrs.org/t/struts-core-1-3-8-security-vulnerability-in-openmrs-core/36523

PR link to exclude the struts-core.1.3.8.jar from the pom.xml

https://github.com/openmrs/openmrs-core/pull/4083

 

Activity

Show:

Daniel Kayiwa May 31, 2022 at 3:32 PM

Daniel Kayiwa May 10, 2022 at 3:36 PM

Merged at https://github.com/openmrs/openmrs-core/commit/4c62023ac23e5d1d0b6870ecc2d23bc271fdfd61

All the end to end tests are passing https://ci.openmrs.org/browse/CONTRIB-QA-1515 and i was able to successfully set up a new instance of the reference application with these changes.

Thanks

Fixed

Details

Assignee

Reporter

Complexity

Low

Fix versions

Affects versions

Priority

Created May 10, 2022 at 11:24 AM
Updated May 31, 2022 at 3:55 PM
Resolved May 31, 2022 at 3:55 PM