Resolving Security Vulnerability in axiom-api 1.4 Due to Internal Dependency on apache-mime4j-core 0.8.6

Question

I am currently working on a project that utilizes axiom-api 1.4 as a dependency. During a security audit, it was identified that axiom-api relies on an internal dependency, specifically apache-mime4j-core version 0.8.6, which has known vulnerabilities. Unfortunately, there is no available version of axiom-api that utilizes a more recent and secure version of mime4j.

I am seeking advice on how to address this security concern without compromising the functionality of the project. Are there any workarounds, best practices, or alternative approaches that can be taken to mitigate the vulnerability in the apache-mime4j-core 0.8.6 dependency while still utilizing axiom-api 1.4?

Any insights or suggestions on how to effectively handle this situation would be greatly appreciated. Thank you in advance for your assistance!

Answer 1

On the master branch, the following commits updated the MIME4J dependency from 0.8.6 to 0.8.9:

• https://github.com/apache/ws-axiom/commit/1d2878e339c98c8b8604471e3925bae05436efd7
• https://github.com/apache/ws-axiom/commit/2f580138e1130ba4a56e42817807baf7aebc8796
• https://github.com/apache/ws-axiom/commit/9b77021792f02ccb5d656690a56a07554ddf1b13

As you can see, none of those upgrades required any changes to Axiom code (The upgrade from 0.8.7 to 0.8.8 required some minor changes in OSGi tests, but that doesn't affect compatibility between Axiom and MIME4J). Therefore you should be able to simply update the MIME4J dependency while continuing to use Axiom 1.4.