From 7728d5cac3b9fdb4c08c72ef2cc8bfe74cb0cd96 Mon Sep 17 00:00:00 2001
From: Andrea Poli <andreapoli80@gmail.com>
Date: Wed, 22 Jan 2025 19:40:04 +0100
Subject: [PATCH] =?UTF-8?q?[GovWayCore]=20Risolta=20la=20seguente=20vulner?=
 =?UTF-8?q?abilit=C3=A0=20relative=20ai=20jar=20di=20terza=20parte:=20-=20?=
 =?UTF-8?q?CVE-2025-23184:=20=20=20=20=20=20=20=20=20aggiornata=20libreria?=
 =?UTF-8?q?=20'org.apache.cxf:*'=20alla=20versione=203.6.5=20=20=20=20=20?=
 =?UTF-8?q?=20=20=20=20aggiornata=20libreria=20'org.ow2.asm:asm'=20alla=20?=
 =?UTF-8?q?versione=209.7.1?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ChangeLog                                     |  9 ++++
 core/ant/openspcoop2-ear.xml                  |  6 +--
 example/pdd/server/testService/build.xml      |  2 +-
 lib/openspcoop2.userlibraries                 | 52 +++++++++----------
 mvn/dependencies/cxf/pom.xml                  |  6 +--
 .../owasp/falsePositives/CVE-2022-40705.xml   |  2 +-
 pom.xml                                       |  2 +-
 protocolli/modipa/testsuite/build.xml         |  2 +-
 .../example/registroServizi/wsdl/build.xml    | 22 ++++----
 .../trasparente/testsuite/karate/build.xml    |  2 +-
 .../securityAdvisory/2025/CVE-2024-38827.rst  |  4 +-
 .../securityAdvisory/2025/CVE-2025-23184.rst  | 35 +++++++++++++
 .../securityAdvisory/2025/index.rst           |  4 +-
 .../cxf/{asm-9.7 => asm-9.7.1}/asm.txt        |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../LICENSE                                   |  0
 .../govway_vault/testsuite/build.xml          |  2 +-
 tools/rs/config/server/testsuite/build.xml    |  2 +-
 tools/rs/monitor/server/testsuite/build.xml   |  2 +-
 .../ant/openspcoop2-govwayLoader-war.xml      |  8 +--
 44 files changed, 104 insertions(+), 58 deletions(-)
 create mode 100644 resources/doc/src/manuali/vulnerability-management/securityAdvisory/2025/CVE-2025-23184.rst
 rename third-party-licenses/cxf/{asm-9.7 => asm-9.7.1}/asm.txt (100%)
 rename third-party-licenses/cxf/{cxf-core-3.6.4-gov4j-1 => cxf-core-3.6.5-gov4j-1}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-bindings-soap-3.6.4 => cxf-rt-bindings-soap-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-databinding-jaxb-3.6.4 => cxf-rt-databinding-jaxb-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-features-logging-3.6.4 => cxf-rt-features-logging-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-frontend-jaxrs-3.6.4 => cxf-rt-frontend-jaxrs-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-frontend-jaxws-3.6.4 => cxf-rt-frontend-jaxws-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-frontend-simple-3.6.4 => cxf-rt-frontend-simple-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-rs-client-3.6.4 => cxf-rt-rs-client-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-rs-json-basic-3.6.4 => cxf-rt-rs-json-basic-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-rs-security-jose-3.6.4-gov4j-1 => cxf-rt-rs-security-jose-3.6.5-gov4j-1}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-rs-security-jose-jaxrs-3.6.4 => cxf-rt-rs-security-jose-jaxrs-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-rs-service-description-common-openapi-3.6.4 => cxf-rt-rs-service-description-common-openapi-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-rs-service-description-openapi-v3-3.6.4 => cxf-rt-rs-service-description-openapi-v3-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-rs-service-description-swagger-ui-3.6.4 => cxf-rt-rs-service-description-swagger-ui-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-security-3.6.4 => cxf-rt-security-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-security-saml-3.6.4 => cxf-rt-security-saml-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-transports-http-3.6.4 => cxf-rt-transports-http-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-transports-http-jetty-3.6.4 => cxf-rt-transports-http-jetty-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-ws-policy-3.6.4 => cxf-rt-ws-policy-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-ws-security-3.6.4 => cxf-rt-ws-security-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-rt-wsdl-3.6.4 => cxf-rt-wsdl-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-tools-common-3.6.4 => cxf-tools-common-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-tools-validator-3.6.4 => cxf-tools-validator-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-tools-wsdlto-core-3.6.4 => cxf-tools-wsdlto-core-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-tools-wsdlto-databinding-jaxb-3.6.4 => cxf-tools-wsdlto-databinding-jaxb-3.6.5}/LICENSE (100%)
 rename third-party-licenses/cxf/{cxf-tools-wsdlto-frontend-jaxws-3.6.4 => cxf-tools-wsdlto-frontend-jaxws-3.6.5}/LICENSE (100%)

diff --git a/ChangeLog b/ChangeLog
index 06b6c100bc..2623725f23 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2025-01-22  Andrea Poli <apoli@link.it>
+
+	* [GovWayCore]
+	Risolto Bug #1567
+	Risolta la seguente vulnerabilità relative ai jar di terza parte:
+	- CVE-2025-23184: 
+		aggiornata libreria 'org.apache.cxf:*' alla versione 3.6.5
+		aggiornata libreria 'org.ow2.asm:asm' alla versione 9.7.1
+
 2025-01-21  Andrea Poli <apoli@link.it>
 
 	* [GovWayCore]
diff --git a/core/ant/openspcoop2-ear.xml b/core/ant/openspcoop2-ear.xml
index 08675d7d99..58d3735dbe 100755
--- a/core/ant/openspcoop2-ear.xml
+++ b/core/ant/openspcoop2-ear.xml
@@ -28,9 +28,9 @@
 		<var name="tmp" value="${tmp} ${tmp_prefix}/commons-io-2.15.1.jar"/>
 		<var name="tmp" value="${tmp} ${tmp_prefix}/commons-lang-2.6.jar"/>
 		<var name="tmp" value="${tmp} ${tmp_prefix}/commons-net-3.9.0.jar"/>
-		<var name="tmp" value="${tmp} ${tmp_prefix}/cxf-core-3.6.4-gov4j-1.jar"/>
-		<var name="tmp" value="${tmp} ${tmp_prefix}/cxf-rt-bindings-soap-3.6.4.jar"/>
-		<var name="tmp" value="${tmp} ${tmp_prefix}/cxf-rt-ws-security-3.6.4.jar"/>
+		<var name="tmp" value="${tmp} ${tmp_prefix}/cxf-core-3.6.5-gov4j-1.jar"/>
+		<var name="tmp" value="${tmp} ${tmp_prefix}/cxf-rt-bindings-soap-3.6.5.jar"/>
+		<var name="tmp" value="${tmp} ${tmp_prefix}/cxf-rt-ws-security-3.6.5.jar"/>
 		<var name="tmp" value="${tmp} ${tmp_prefix}/jaxb-api-2.3.1.jar"/>
 		<var name="tmp" value="${tmp} ${tmp_prefix}/jaxb-core-2.3.0.1.jar"/>
 		<var name="tmp" value="${tmp} ${tmp_prefix}/jaxb-impl-2.3.7.jar"/>
diff --git a/example/pdd/server/testService/build.xml b/example/pdd/server/testService/build.xml
index 1129e9d6b8..4e096e772d 100644
--- a/example/pdd/server/testService/build.xml
+++ b/example/pdd/server/testService/build.xml
@@ -201,7 +201,7 @@
 			<lib dir="${libs}/cxf">
 				<include name="cxf-core-*.jar" />
 				<include name="cxf-rt-*.jar" />
-				<exclude name="cxf-rt-transports-http-3.6.4.jar" /> <!-- warning su wildfly al deploy -->
+				<exclude name="cxf-rt-transports-http-3.6.5.jar" /> <!-- warning su wildfly al deploy -->
 				<include name="jakarta.ws.rs-api-2.1.6.jar" />
 			</lib>
 			<lib dir="${libs}/saaj">
diff --git a/lib/openspcoop2.userlibraries b/lib/openspcoop2.userlibraries
index f1a0f0dee6..21168c185d 100644
--- a/lib/openspcoop2.userlibraries
+++ b/lib/openspcoop2.userlibraries
@@ -26,32 +26,32 @@
 	<archive path="/op2_3.3.dev/lib/commons/commons-compress-1.26.0.jar"/>
 	<archive path="/op2_3.3.dev/lib/commons/commons-math3-3.6.1.jar"/>
 	<!-- cxf -->
-        <archive path="/op2_3.3.dev/lib/cxf/cxf-core-3.6.4-gov4j-1.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-bindings-soap-3.6.4.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-databinding-jaxb-3.6.4.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-features-logging-3.6.4.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-frontend-simple-3.6.4.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-frontend-jaxws-3.6.4.jar" />
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-frontend-jaxrs-3.6.4.jar" />
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-security-3.6.4.jar" />
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-security-saml-3.6.4.jar" />
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-transports-http-3.6.4.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-transports-http-jetty-3.6.4.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-rs-json-basic-3.6.4.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-rs-security-jose-3.6.4-gov4j-1.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-rs-security-jose-jaxrs-3.6.4.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-rs-service-description-common-openapi-3.6.4.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-rs-service-description-openapi-v3-3.6.4.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-rs-service-description-swagger-ui-3.6.4.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-wsdl-3.6.4.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-ws-policy-3.6.4.jar" />
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-ws-security-3.6.4.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-tools-common-3.6.4.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-tools-validator-3.6.4.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-tools-wsdlto-core-3.6.4.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-tools-wsdlto-databinding-jaxb-3.6.4.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/cxf-tools-wsdlto-frontend-jaxws-3.6.4.jar"/>
-	<archive path="/op2_3.3.dev/lib/cxf/asm-9.7.jar"/>
+        <archive path="/op2_3.3.dev/lib/cxf/cxf-core-3.6.5-gov4j-1.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-bindings-soap-3.6.5.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-databinding-jaxb-3.6.5.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-features-logging-3.6.5.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-frontend-simple-3.6.5.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-frontend-jaxws-3.6.5.jar" />
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-frontend-jaxrs-3.6.5.jar" />
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-security-3.6.5.jar" />
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-security-saml-3.6.5.jar" />
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-transports-http-3.6.5.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-transports-http-jetty-3.6.5.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-rs-json-basic-3.6.5.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-rs-security-jose-3.6.5-gov4j-1.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-rs-security-jose-jaxrs-3.6.5.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-rs-service-description-common-openapi-3.6.5.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-rs-service-description-openapi-v3-3.6.5.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-rs-service-description-swagger-ui-3.6.5.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-wsdl-3.6.5.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-ws-policy-3.6.5.jar" />
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-rt-ws-security-3.6.5.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-tools-common-3.6.5.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-tools-validator-3.6.5.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-tools-wsdlto-core-3.6.5.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-tools-wsdlto-databinding-jaxb-3.6.5.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/cxf-tools-wsdlto-frontend-jaxws-3.6.5.jar"/>
+	<archive path="/op2_3.3.dev/lib/cxf/asm-9.7.1.jar"/>
 	<archive path="/op2_3.3.dev/lib/cxf/jakarta.ws.rs-api-2.1.6.jar"/>
         <archive path="/op2_3.3.dev/lib/cxf/stax2-api-4.2.2.jar"/>
         <archive path="/op2_3.3.dev/lib/cxf/woodstox-core-6.6.2.jar"/>
diff --git a/mvn/dependencies/cxf/pom.xml b/mvn/dependencies/cxf/pom.xml
index c8cb8f28e0..49aa00df37 100644
--- a/mvn/dependencies/cxf/pom.xml
+++ b/mvn/dependencies/cxf/pom.xml
@@ -17,9 +17,9 @@
 
 		<jar.group.name>cxf</jar.group.name>
 		
-		<asm.version>9.7</asm.version>
-		<cxf.version>3.6.4</cxf.version>
-		<cxf.gov4j.version>3.6.4-gov4j-1</cxf.gov4j.version>
+		<asm.version>9.7.1</asm.version>
+		<cxf.version>3.6.5</cxf.version>
+		<cxf.gov4j.version>3.6.5-gov4j-1</cxf.gov4j.version>
 		<javax.ws.rs.api.cxf.version>2.1.6</javax.ws.rs.api.cxf.version>
 		<stax2.api.version>4.2.2</stax2.api.version>
 		<woodstock.core.version>6.6.2</woodstock.core.version>
diff --git a/mvn/dependencies/owasp/falsePositives/CVE-2022-40705.xml b/mvn/dependencies/owasp/falsePositives/CVE-2022-40705.xml
index 83fc9355c4..f5e310b3e3 100644
--- a/mvn/dependencies/owasp/falsePositives/CVE-2022-40705.xml
+++ b/mvn/dependencies/owasp/falsePositives/CVE-2022-40705.xml
@@ -1,7 +1,7 @@
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
   <suppress>
      <notes><![CDATA[
-     file name: cxf-rt-bindings-soap-3.6.4.jar
+     file name: cxf-rt-bindings-soap-3.6.5.jar
      La vulnerabilità 'CVE-2022-40705' è relativa alla libreria 'soap:soap' e non a CXF.
      Evidenze disponibili in:
      - https://nvd.nist.gov/vuln/detail/CVE-2022-40705 (This issue affects Apache SOAP version 2.2 and later versions)
diff --git a/pom.xml b/pom.xml
index 0b4f352433..8f0c13e6b9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -34,7 +34,7 @@
 		
 		<!-- owasp config -->
 		<owasp>verify</owasp> <!-- owasp phase, use 'none' for disable -->
-		<owasp.plugin.version>12.0.0</owasp.plugin.version>
+		<owasp.plugin.version>12.0.1</owasp.plugin.version>
 		<owasp.plugin.autoUpdate>true</owasp.plugin.autoUpdate> <!-- Impostare a false quando ci sono problemi su repository NIST -->
 		<owasp.plugin.failBuildOnAnyVulnerability>false</owasp.plugin.failBuildOnAnyVulnerability>
 		<owasp.ossindex.prevents429.sleep>5</owasp.ossindex.prevents429.sleep> <!-- https://github.com/sonatype/ossindex-maven/issues/17 -->
diff --git a/protocolli/modipa/testsuite/build.xml b/protocolli/modipa/testsuite/build.xml
index a560e81c67..fa3053b223 100644
--- a/protocolli/modipa/testsuite/build.xml
+++ b/protocolli/modipa/testsuite/build.xml
@@ -46,7 +46,7 @@
 			<include name="joda-time-2.12.0.jar"/>
                 </fileset>
                 <fileset dir="${required_lib}/cxf" >
-                        <include name="asm-9.7.jar"/>
+                        <include name="asm-9.7.1.jar"/>
                 </fileset>
                 <fileset dir="${openspcoop2.dist}" >
                         <include name="*.jar"/>
diff --git a/protocolli/spcoop/example/registroServizi/wsdl/build.xml b/protocolli/spcoop/example/registroServizi/wsdl/build.xml
index f5a77f8290..e9c9d60a69 100644
--- a/protocolli/spcoop/example/registroServizi/wsdl/build.xml
+++ b/protocolli/spcoop/example/registroServizi/wsdl/build.xml
@@ -58,17 +58,17 @@
 		<fileset dir="${required_lib}/log" includes="*.jar"/>
 		<fileset dir="${required_lib}/shared" includes="wsdl4j-1.6.3.jar"/>
 		<fileset dir="${required_lib}/shared" includes="velocity-engine-core-2.4.jar"/>
-		<fileset dir="${required_lib}/cxf" includes="cxf-tools-validator-3.6.4.jar"/>
-		<fileset dir="${required_lib}/cxf" includes="cxf-tools-wsdlto-core-3.6.4.jar"/>
-		<fileset dir="${required_lib}/cxf" includes="cxf-tools-wsdlto-frontend-jaxws-3.6.4.jar"/>
-		<fileset dir="${required_lib}/cxf" includes="cxf-tools-wsdlto-databinding-jaxb-3.6.4.jar"/>
-		<fileset dir="${required_lib}/cxf" includes="cxf-tools-common-3.6.4.jar"/>
-		<fileset dir="${required_lib}/cxf" includes="cxf-core-3.6.4-gov4j-1.jar"/>
-		<fileset dir="${required_lib}/cxf" includes="cxf-rt-wsdl-3.6.4.jar"/>
-		<fileset dir="${required_lib}/cxf" includes="cxf-rt-frontend-jaxws-3.6.4.jar"/>
-		<fileset dir="${required_lib}/cxf" includes="cxf-rt-frontend-simple-3.6.4.jar"/>
-		<fileset dir="${required_lib}/cxf" includes="cxf-rt-databinding-jaxb-3.6.4.jar"/>
-		<fileset dir="${required_lib}/cxf" includes="cxf-rt-bindings-soap-3.6.4.jar"/>	
+		<fileset dir="${required_lib}/cxf" includes="cxf-tools-validator-3.6.5.jar"/>
+		<fileset dir="${required_lib}/cxf" includes="cxf-tools-wsdlto-core-3.6.5.jar"/>
+		<fileset dir="${required_lib}/cxf" includes="cxf-tools-wsdlto-frontend-jaxws-3.6.5.jar"/>
+		<fileset dir="${required_lib}/cxf" includes="cxf-tools-wsdlto-databinding-jaxb-3.6.5.jar"/>
+		<fileset dir="${required_lib}/cxf" includes="cxf-tools-common-3.6.5.jar"/>
+		<fileset dir="${required_lib}/cxf" includes="cxf-core-3.6.5-gov4j-1.jar"/>
+		<fileset dir="${required_lib}/cxf" includes="cxf-rt-wsdl-3.6.5.jar"/>
+		<fileset dir="${required_lib}/cxf" includes="cxf-rt-frontend-jaxws-3.6.5.jar"/>
+		<fileset dir="${required_lib}/cxf" includes="cxf-rt-frontend-simple-3.6.5.jar"/>
+		<fileset dir="${required_lib}/cxf" includes="cxf-rt-databinding-jaxb-3.6.5.jar"/>
+		<fileset dir="${required_lib}/cxf" includes="cxf-rt-bindings-soap-3.6.5.jar"/>	
 		<fileset dir="${required_lib}/cxf" includes="stax2-api-4.2.2.jar"/>
 		<fileset dir="${required_lib}/cxf" includes="woodstox-core-6.6.2.jar"/>
 		<fileset dir="${required_lib}/cxf" includes="xmlschema-core-2.3.1.jar"/>
diff --git a/protocolli/trasparente/testsuite/karate/build.xml b/protocolli/trasparente/testsuite/karate/build.xml
index 3993983c57..34b2adee3d 100644
--- a/protocolli/trasparente/testsuite/karate/build.xml
+++ b/protocolli/trasparente/testsuite/karate/build.xml
@@ -68,7 +68,7 @@
 			<include name="cxf-core-*.jar"/>
 			<include name="cxf-rt-rs-json-basic-*.jar"/>
 			<include name="cxf-rt-rs-security-jose-*.jar"/>
-			<include name="asm-9.7.jar"/>
+			<include name="asm-9.7.1.jar"/>
 			<include name="woodstox-core-6.6.2.jar"/>
 			<include name="xmlschema-core-2.3.1.jar"/>
 		</fileset>
diff --git a/resources/doc/src/manuali/vulnerability-management/securityAdvisory/2025/CVE-2024-38827.rst b/resources/doc/src/manuali/vulnerability-management/securityAdvisory/2025/CVE-2024-38827.rst
index a94ccd7730..7999194396 100644
--- a/resources/doc/src/manuali/vulnerability-management/securityAdvisory/2025/CVE-2024-38827.rst
+++ b/resources/doc/src/manuali/vulnerability-management/securityAdvisory/2025/CVE-2024-38827.rst
@@ -1,4 +1,4 @@
-.. _vulnerabilityManagement_securityAdvisory_2024_CVE-2024-38827:
+.. _vulnerabilityManagement_securityAdvisory_2025_CVE-2024-38827:
 
 CVE-2024-38827
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -15,7 +15,7 @@ Riferimenti:
 - `https://ossindex.sonatype.org/vulnerability/CVE-2024-38827 <https://ossindex.sonatype.org/vulnerability/CVE-2024-38827>`_
 - `https://spring.io/security/cve-2024-38827 <https://spring.io/security/cve-2024-38827>`_
 
-Libreria: org.springframework.security/spring-security-\* < 5.8.16
+Libreria: org.springframework.security:spring-security-\* < 5.8.16
 
 **Descrizione**
 
diff --git a/resources/doc/src/manuali/vulnerability-management/securityAdvisory/2025/CVE-2025-23184.rst b/resources/doc/src/manuali/vulnerability-management/securityAdvisory/2025/CVE-2025-23184.rst
new file mode 100644
index 0000000000..e558ea87b9
--- /dev/null
+++ b/resources/doc/src/manuali/vulnerability-management/securityAdvisory/2025/CVE-2025-23184.rst
@@ -0,0 +1,35 @@
+.. _vulnerabilityManagement_securityAdvisory_2025_CVE-2025-23184:
+
+CVE-2025-23184
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Data: 2025-01-22
+
+Severity: Medium
+
+CVSS Score:  5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
+
+Riferimenti:  
+
+- `https://nvd.nist.gov/vuln/detail/CVE-2025-23184 <https://nvd.nist.gov/vuln/detail/CVE-2025-23184>`_
+- `https://ossindex.sonatype.org/vulnerability/CVE-2025-23184 <https://ossindex.sonatype.org/vulnerability/CVE-2025-23184>`_
+- `https://cxf.apache.org/security-advisories.data/CVE-2025-23184.txt <https://cxf.apache.org/security-advisories.data/CVE-2025-23184.txt?version=2&modificationDate=1737381863000&api=v2>`_
+
+Libreria: org.apache.cxf:cxf-core < 3.6.5
+
+**Descrizione**
+
+CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
+
+A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. 
+
+In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).
+
+**GovWay**
+
+Versione affette: <= 3.3.15.p2
+
+Risoluzione: prima versione in rilascio
+
+
+
diff --git a/resources/doc/src/manuali/vulnerability-management/securityAdvisory/2025/index.rst b/resources/doc/src/manuali/vulnerability-management/securityAdvisory/2025/index.rst
index 2e80e60b96..bc21a4df62 100644
--- a/resources/doc/src/manuali/vulnerability-management/securityAdvisory/2025/index.rst
+++ b/resources/doc/src/manuali/vulnerability-management/securityAdvisory/2025/index.rst
@@ -3,9 +3,11 @@
 Avvisi di Sicurezza 2025
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-- :ref:`vulnerabilityManagement_securityAdvisory_2024_CVE-2024-38827`
+- :ref:`vulnerabilityManagement_securityAdvisory_2025_CVE-2025-23184`
+- :ref:`vulnerabilityManagement_securityAdvisory_2025_CVE-2024-38827`
 
 .. toctree::
         :maxdepth: 2
 
+	CVE-2025-23184
 	CVE-2024-38827
diff --git a/third-party-licenses/cxf/asm-9.7/asm.txt b/third-party-licenses/cxf/asm-9.7.1/asm.txt
similarity index 100%
rename from third-party-licenses/cxf/asm-9.7/asm.txt
rename to third-party-licenses/cxf/asm-9.7.1/asm.txt
diff --git a/third-party-licenses/cxf/cxf-core-3.6.4-gov4j-1/LICENSE b/third-party-licenses/cxf/cxf-core-3.6.5-gov4j-1/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-core-3.6.4-gov4j-1/LICENSE
rename to third-party-licenses/cxf/cxf-core-3.6.5-gov4j-1/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-bindings-soap-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-bindings-soap-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-bindings-soap-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-bindings-soap-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-databinding-jaxb-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-databinding-jaxb-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-databinding-jaxb-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-databinding-jaxb-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-features-logging-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-features-logging-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-features-logging-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-features-logging-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-frontend-jaxrs-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-frontend-jaxrs-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-frontend-jaxrs-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-frontend-jaxrs-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-frontend-jaxws-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-frontend-jaxws-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-frontend-jaxws-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-frontend-jaxws-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-frontend-simple-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-frontend-simple-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-frontend-simple-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-frontend-simple-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-rs-client-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-rs-client-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-rs-client-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-rs-client-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-rs-json-basic-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-rs-json-basic-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-rs-json-basic-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-rs-json-basic-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-rs-security-jose-3.6.4-gov4j-1/LICENSE b/third-party-licenses/cxf/cxf-rt-rs-security-jose-3.6.5-gov4j-1/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-rs-security-jose-3.6.4-gov4j-1/LICENSE
rename to third-party-licenses/cxf/cxf-rt-rs-security-jose-3.6.5-gov4j-1/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-rs-security-jose-jaxrs-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-rs-security-jose-jaxrs-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-rs-security-jose-jaxrs-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-rs-security-jose-jaxrs-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-rs-service-description-common-openapi-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-rs-service-description-common-openapi-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-rs-service-description-common-openapi-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-rs-service-description-common-openapi-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-rs-service-description-openapi-v3-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-rs-service-description-openapi-v3-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-rs-service-description-openapi-v3-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-rs-service-description-openapi-v3-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-rs-service-description-swagger-ui-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-rs-service-description-swagger-ui-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-rs-service-description-swagger-ui-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-rs-service-description-swagger-ui-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-security-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-security-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-security-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-security-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-security-saml-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-security-saml-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-security-saml-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-security-saml-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-transports-http-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-transports-http-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-transports-http-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-transports-http-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-transports-http-jetty-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-transports-http-jetty-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-transports-http-jetty-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-transports-http-jetty-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-ws-policy-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-ws-policy-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-ws-policy-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-ws-policy-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-ws-security-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-ws-security-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-ws-security-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-ws-security-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-rt-wsdl-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-rt-wsdl-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-rt-wsdl-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-rt-wsdl-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-tools-common-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-tools-common-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-tools-common-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-tools-common-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-tools-validator-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-tools-validator-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-tools-validator-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-tools-validator-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-tools-wsdlto-core-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-tools-wsdlto-core-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-tools-wsdlto-core-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-tools-wsdlto-core-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-tools-wsdlto-databinding-jaxb-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-tools-wsdlto-databinding-jaxb-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-tools-wsdlto-databinding-jaxb-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-tools-wsdlto-databinding-jaxb-3.6.5/LICENSE
diff --git a/third-party-licenses/cxf/cxf-tools-wsdlto-frontend-jaxws-3.6.4/LICENSE b/third-party-licenses/cxf/cxf-tools-wsdlto-frontend-jaxws-3.6.5/LICENSE
similarity index 100%
rename from third-party-licenses/cxf/cxf-tools-wsdlto-frontend-jaxws-3.6.4/LICENSE
rename to third-party-licenses/cxf/cxf-tools-wsdlto-frontend-jaxws-3.6.5/LICENSE
diff --git a/tools/command_line_interfaces/govway_vault/testsuite/build.xml b/tools/command_line_interfaces/govway_vault/testsuite/build.xml
index e4746e6fb1..6e5c66d282 100644
--- a/tools/command_line_interfaces/govway_vault/testsuite/build.xml
+++ b/tools/command_line_interfaces/govway_vault/testsuite/build.xml
@@ -59,7 +59,7 @@
 			<include name="cxf-core-*.jar"/>
 			<include name="cxf-rt-rs-json-basic-*.jar"/>
 			<include name="cxf-rt-rs-security-jose-*.jar"/>
-			<include name="asm-9.7.jar"/>
+			<include name="asm-9.7.1.jar"/>
 			<include name="woodstox-core-6.6.2.jar"/>
 			<include name="xmlschema-core-2.3.1.jar"/>
 		</fileset>
diff --git a/tools/rs/config/server/testsuite/build.xml b/tools/rs/config/server/testsuite/build.xml
index cea25986f0..07d51abe3c 100644
--- a/tools/rs/config/server/testsuite/build.xml
+++ b/tools/rs/config/server/testsuite/build.xml
@@ -38,7 +38,7 @@
                         <include name="snakeyaml-1.33-gov4j-1.jar"/>
                 </fileset>
                 <fileset dir="${required_lib}/cxf" >
-                        <include name="asm-9.7.jar"/>
+                        <include name="asm-9.7.1.jar"/>
                 </fileset>
         </path> 
 
diff --git a/tools/rs/monitor/server/testsuite/build.xml b/tools/rs/monitor/server/testsuite/build.xml
index edc57ae858..fd884a9144 100644
--- a/tools/rs/monitor/server/testsuite/build.xml
+++ b/tools/rs/monitor/server/testsuite/build.xml
@@ -45,7 +45,7 @@
                         <include name="snakeyaml-1.33-gov4j-1.jar"/>
                 </fileset>
                 <fileset dir="${required_lib}/cxf" >
-                        <include name="asm-9.7.jar"/>
+                        <include name="asm-9.7.1.jar"/>
                 </fileset>
 	</path> 
 
diff --git a/tools/web_interfaces/loader/ant/openspcoop2-govwayLoader-war.xml b/tools/web_interfaces/loader/ant/openspcoop2-govwayLoader-war.xml
index af5177da71..994b374238 100755
--- a/tools/web_interfaces/loader/ant/openspcoop2-govwayLoader-war.xml
+++ b/tools/web_interfaces/loader/ant/openspcoop2-govwayLoader-war.xml
@@ -117,10 +117,10 @@
 				<include name="${jaxp_ri_jar}" />
 			</lib>
 			<lib dir="${required_lib_loaderConsole}/cxf">
-				<include name="cxf-rt-rs-security-jose-3.6.4-gov4j-1.jar" />
-				<include name="cxf-rt-rs-json-basic-3.6.4.jar" />
-				<include name="cxf-rt-security-3.6.4.jar" />
-				<include name="cxf-core-3.6.4-gov4j-1.jar" />
+				<include name="cxf-rt-rs-security-jose-3.6.5-gov4j-1.jar" />
+				<include name="cxf-rt-rs-json-basic-3.6.5.jar" />
+				<include name="cxf-rt-security-3.6.5.jar" />
+				<include name="cxf-core-3.6.5-gov4j-1.jar" />
 			</lib>
 			<lib dir="${required_lib_loaderConsole}/jackson" >
 				<include name="*.jar" />