This post has NOT been accepted by the mailing list yet.
I have a question regarding com.sun.commons:beanutils:1.6.1-20070314 which is used transitively in org.glassfish.metro:webservices-extra:2.3.1. I assume that these beanutils are the same as the Apache commons beanutils version 1.6.1.
By now the apache commons beanutils are at version 1.9.2. Older versions suffer from the CVE-2014-0114 vulnerability, which is quite severe (CVSS v2 Base Score: 7.5 HIGH).
* Are you planning to update this outdated library?
* It is unclear whether the vulnerability is present this very old version (1.6.1), but this library being older than the vulnerable ones is not very comforting either.
* Is it possible to rule out that this vulnerability might be present when using Metro?