axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Veithen <andreas.veit...@gmail.com>
Subject Re: [Axis2] Vulnerability notification for Apache httpclient(CVE-2015-5262) - Denial of Service Vulnerability
Date Tue, 20 Dec 2016 09:46:59 GMT
On Mon, Dec 19, 2016 at 3:35 PM,  <avi.sanwal@gmail.com> wrote:
> Hi Andreas,
>
>
>
> Thanks for the response. We have already followed the instructions in AXIS2
> documentations to migrate to 1.7.4. We tried with a customized
> RPCServiceClient, and it picks the new HTTPClient version. However, we fear
> that the below mentioned vulnerability would still be reported as Maven
> transiently still packs the old version of HTTPClient (3.1). So we have
> added an <excludes> clause in our dependency.
>
>
>
> This will work for now, however, it looks like a workaround-ish fix. We hope
> that AXIS2 would provide a ‘default’ fix (without having users to rely on
> the <excludes>) in a near future release (or a fork for backward
> compatibility?).

In Axis2 1.8, HttpClient 4.x will be the default, and the two
implementations of the HTTP transport will be available as two
distinct Maven artifacts, effectively fixing the transitive dependency
problem.

>
>
>
> Eagerly awaiting your response,
>
> Avi Sanwal
>
>
>
> From: Andreas Veithen
> Sent: Monday, December 19, 2016 8:48 PM
> To: java-dev
> Subject: Re: [Axis2] Vulnerability notification for Apache
> httpclient(CVE-2015-5262) - Denial of Service Vulnerability
>
>
>
> You need to switch to the HttpClient 4.x based HTTP transport as
>
> explained in the Axis2 1.7.0 release notes [1]. This means that you
>
> need to create a customized axis2.xml config file, instantiate a
>
> ConfigurationContext from that file and pass it to the
>
> RPCServiceClient (instead of letting RPCServiceClient create a default
>
> ConfigurationContext for you).
>
>
>
> Andreas
>
>
>
> [1] http://axis.apache.org/axis2/java/core/release-notes/1.7.0.html
>
>
>
> On Mon, Nov 28, 2016 at 11:31 AM, Avi Sanwal <avi.sanwal@gmail.com> wrote:
>
>> Hi,
>
>>
>
>> We are getting a vulnerability notification for commons-httpclient
>
>>
>
>> CVE ID: CVE-2015-5262
>
>> References: https://issues.apache.org/jira/browse/HTTPCLIENT-1478
>
>>
>
>> Currently, we are using Axis2 (1.5.1) which internally uses
>
>> commons-httpclient (3.1). However, the latest stable version (as of now,
>
>> 1.7.4) still employs commons-httpclient:3.1 by default.
>
>> Since the reported vulnerability is present in the commons-httpclient:3.1
>
>> JAR,
>
>>
>
>> What is the mitigation plan of Axis2 for this vulnerability, when can it
>> be
>
>> expected in a stable release?
>
>> What is the recommendation to avoid packing this JAR along with our
>
>> application (client-app)?
>
>>
>
>> Note:
>
>>
>
>> If, necessary, we can move to a newer stable version (1.7.x). But
>> currently,
>
>> it does not help us since commons-httpclient:3.1 still gets packed as a
>
>> transient dependency.
>
>>
>
>>
>
>>
>
>> Client Code snippet, for reference
>
>>
>
>>   RPCServiceClient serviceClient = null;
>
>>   String responseUrl = null;
>
>>   try {
>
>>  // create the RPC client
>
>>  serviceClient = new RPCServiceClient();
>
>>  Options options = serviceClient.getOptions();
>
>>
>
>>  // HTTP Basic Authentication
>
>>  HttpTransportProperties.Authenticator auth = new
>
>> HttpTransportProperties.Authenticator();
>
>>  auth.setUsername(wsUser);
>
>>  auth.setPassword(wsPassword);
>
>>  auth.setPreemptiveAuthentication(true);
>
>>  options.setProperty(HTTPConstants.AUTHENTICATE, auth);
>
>>  String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+
>
>> "/TestService/services/TestService";
>
>>  EndpointReference targetEPR = new EndpointReference(webServiceURL);
>
>>
>
>>  // Set the options
>
>>  options.setTo(targetEPR);
>
>>
>
>>  // QName of the method to invoke
>
>>  QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
>
>>  SOAP_SERVICE_METHOD);
>
>>
>
>>  Object[] opGenerateUrlArguments = new Object[] { application,
>
>>  soapAddress, applicationPort, protocol };
>
>>
>
>>  Class[] returnTypes = new Class[] { String.class };
>
>>
>
>>  Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
>
>>  opGenerateUrlArguments, returnTypes);
>
>>  if (response.length > 0) {
>
>>  responseData = (String) response[0];
>
>>  }
>
>>   } catch (AxisFault af) {
>
>>  ...
>
>>   } catch (Exception e) {
>
>>  ...
>
>>   } finally {
>
>>  ...
>
>>   }
>
>>
>
>>
>
>> Thanking You
>
>> Yours Sincerely
>
>> Avi Sanwal
>
>>
>
>> PS: I also created a JIRA earlier (before I read the FAQs) -
>
>> https://issues.apache.org/jira/browse/AXIS2-5822
>
>> PPS: I am unable to access the mailing archives to see if this concern has
>
>> been already addressed.
>
>
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
>
> For additional commands, e-mail: java-dev-help@axis.apache.org
>
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message