axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Avi Sanwal <avi.san...@gmail.com>
Subject [Axis2] Vulnerability notification for Apache httpclient (CVE-2015-5262) - Denial of Service Vulnerability
Date Mon, 28 Nov 2016 11:31:35 GMT
Hi,

We are getting a vulnerability notification for commons-httpclient

*CVE ID*: CVE-2015-5262
*References*: https://issues.apache.org/jira/browse/HTTPCLIENT-1478

Currently, we are using Axis2 (*1.5.1*) which internally uses
*commons-httpclient
(3.1)*. However, the latest stable version (as of now, *1.7.4*) still
employs *commons-httpclient:3.1* by default.
Since the reported vulnerability is present in the *commons-httpclient:3.1*
JAR,

   - What is the mitigation plan of Axis2 for this vulnerability, when can
   it be expected in a stable release?
   - What is the recommendation to avoid packing this JAR along with our
   application (client-app)?

Note:

   - If, necessary, we can move to a newer stable version (1.7.x). But
   currently, it does not help us since *commons-httpclient:3.1* still gets
   packed as a transient dependency.



*Client Code snippet, for reference*

  RPCServiceClient serviceClient = null;
  String responseUrl = null;
  try {
	  // create the RPC client	  serviceClient = new RPCServiceClient();
	  Options options = serviceClient.getOptions();

	  // HTTP Basic Authentication	
HttpTransportProperties.Authenticator auth = new
HttpTransportProperties.Authenticator();
	  auth.setUsername(wsUser);
	  auth.setPassword(wsPassword);
	  auth.setPreemptiveAuthentication(true);			
	  options.setProperty(HTTPConstants.AUTHENTICATE, auth);
	  String webServiceURL = protocol + "://"+ soapAddress + ":" +
soapPort+ "/TestService/services/TestService";	  EndpointReference
targetEPR = new EndpointReference(webServiceURL);

	  // Set the options	  options.setTo(targetEPR);

	  // QName of the method to invoke	  QName opGenerateUrl = new
QName(SOAP_SERVICE_NAMESPACE,
			  SOAP_SERVICE_METHOD);

	  Object[] opGenerateUrlArguments = new Object[] { application,
		  soapAddress, applicationPort, protocol };

	  Class[] returnTypes = new Class[] { String.class };
	
	  Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
			  opGenerateUrlArguments, returnTypes);
	  if (response.length > 0) {
		  responseData = (String) response[0];
	  }
  } catch (AxisFault af) {
	  ...
  } catch (Exception e) {
	  ...
  } finally {
	  ...
  }


Thanking You
Yours Sincerely
Avi Sanwal

PS: I also created a JIRA earlier (before I read the FAQs) -
https://issues.apache.org/jira/browse/AXIS2-5822
PPS: I am unable to access the mailing archives to see if this concern has
been already addressed.

Mime
View raw message