axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <avi.san...@gmail.com>
Subject RE: [Axis2] Vulnerability notification for Apache httpclient(CVE-2015-5262) - Denial of Service Vulnerability
Date Mon, 19 Dec 2016 15:35:02 GMT
Hi Andreas,

Thanks for the response. We have already followed the instructions in AXIS2 documentations
to migrate to 1.7.4. We tried with a customized RPCServiceClient, and it picks the new HTTPClient
version. However, we fear that the below mentioned vulnerability would still be reported as
Maven transiently still packs the old version of HTTPClient (3.1). So we have added an <excludes>
clause in our dependency.

This will work for now, however, it looks like a workaround-ish fix. We hope that AXIS2 would
provide a ‘default’ fix (without having users to rely on the <excludes>) in a near
future release (or a fork for backward compatibility?).

Eagerly awaiting your response,
Avi Sanwal

From: Andreas Veithen
Sent: Monday, December 19, 2016 8:48 PM
To: java-dev
Subject: Re: [Axis2] Vulnerability notification for Apache httpclient(CVE-2015-5262) - Denial
of Service Vulnerability

You need to switch to the HttpClient 4.x based HTTP transport as
explained in the Axis2 1.7.0 release notes [1]. This means that you
need to create a customized axis2.xml config file, instantiate a
ConfigurationContext from that file and pass it to the
RPCServiceClient (instead of letting RPCServiceClient create a default
ConfigurationContext for you).

Andreas

[1] http://axis.apache.org/axis2/java/core/release-notes/1.7.0.html

On Mon, Nov 28, 2016 at 11:31 AM, Avi Sanwal <avi.sanwal@gmail.com> wrote:
> Hi,
>
> We are getting a vulnerability notification for commons-httpclient
>
> CVE ID: CVE-2015-5262
> References: https://issues.apache.org/jira/browse/HTTPCLIENT-1478
>
> Currently, we are using Axis2 (1.5.1) which internally uses
> commons-httpclient (3.1). However, the latest stable version (as of now,
> 1.7.4) still employs commons-httpclient:3.1 by default.
> Since the reported vulnerability is present in the commons-httpclient:3.1
> JAR,
>
> What is the mitigation plan of Axis2 for this vulnerability, when can it be
> expected in a stable release?
> What is the recommendation to avoid packing this JAR along with our
> application (client-app)?
>
> Note:
>
> If, necessary, we can move to a newer stable version (1.7.x). But currently,
> it does not help us since commons-httpclient:3.1 still gets packed as a
> transient dependency.
>
>
>
> Client Code snippet, for reference
>
>   RPCServiceClient serviceClient = null;
>   String responseUrl = null;
>   try {
>  // create the RPC client
>  serviceClient = new RPCServiceClient();
>  Options options = serviceClient.getOptions();
>
>  // HTTP Basic Authentication
>  HttpTransportProperties.Authenticator auth = new
> HttpTransportProperties.Authenticator();
>  auth.setUsername(wsUser);
>  auth.setPassword(wsPassword);
>  auth.setPreemptiveAuthentication(true);
>  options.setProperty(HTTPConstants.AUTHENTICATE, auth);
>  String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+
> "/TestService/services/TestService";
>  EndpointReference targetEPR = new EndpointReference(webServiceURL);
>
>  // Set the options
>  options.setTo(targetEPR);
>
>  // QName of the method to invoke
>  QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
>  SOAP_SERVICE_METHOD);
>
>  Object[] opGenerateUrlArguments = new Object[] { application,
>  soapAddress, applicationPort, protocol };
>
>  Class[] returnTypes = new Class[] { String.class };
>
>  Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
>  opGenerateUrlArguments, returnTypes);
>  if (response.length > 0) {
>  responseData = (String) response[0];
>  }
>   } catch (AxisFault af) {
>  ...
>   } catch (Exception e) {
>  ...
>   } finally {
>  ...
>   }
>
>
> Thanking You
> Yours Sincerely
> Avi Sanwal
>
> PS: I also created a JIRA earlier (before I read the FAQs) -
> https://issues.apache.org/jira/browse/AXIS2-5822
> PPS: I am unable to access the mailing archives to see if this concern has
> been already addressed.

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org



Mime
View raw message