axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Veithen <andreas.veit...@gmail.com>
Subject Re: [Axis2] Vulnerability notification for Apache httpclient (CVE-2015-5262) - Denial of Service Vulnerability
Date Mon, 19 Dec 2016 15:18:29 GMT
You need to switch to the HttpClient 4.x based HTTP transport as
explained in the Axis2 1.7.0 release notes [1]. This means that you
need to create a customized axis2.xml config file, instantiate a
ConfigurationContext from that file and pass it to the
RPCServiceClient (instead of letting RPCServiceClient create a default
ConfigurationContext for you).

Andreas

[1] http://axis.apache.org/axis2/java/core/release-notes/1.7.0.html

On Mon, Nov 28, 2016 at 11:31 AM, Avi Sanwal <avi.sanwal@gmail.com> wrote:
> Hi,
>
> We are getting a vulnerability notification for commons-httpclient
>
> CVE ID: CVE-2015-5262
> References: https://issues.apache.org/jira/browse/HTTPCLIENT-1478
>
> Currently, we are using Axis2 (1.5.1) which internally uses
> commons-httpclient (3.1). However, the latest stable version (as of now,
> 1.7.4) still employs commons-httpclient:3.1 by default.
> Since the reported vulnerability is present in the commons-httpclient:3.1
> JAR,
>
> What is the mitigation plan of Axis2 for this vulnerability, when can it be
> expected in a stable release?
> What is the recommendation to avoid packing this JAR along with our
> application (client-app)?
>
> Note:
>
> If, necessary, we can move to a newer stable version (1.7.x). But currently,
> it does not help us since commons-httpclient:3.1 still gets packed as a
> transient dependency.
>
>
>
> Client Code snippet, for reference
>
>   RPCServiceClient serviceClient = null;
>   String responseUrl = null;
>   try {
>  // create the RPC client
>  serviceClient = new RPCServiceClient();
>  Options options = serviceClient.getOptions();
>
>  // HTTP Basic Authentication
>  HttpTransportProperties.Authenticator auth = new
> HttpTransportProperties.Authenticator();
>  auth.setUsername(wsUser);
>  auth.setPassword(wsPassword);
>  auth.setPreemptiveAuthentication(true);
>  options.setProperty(HTTPConstants.AUTHENTICATE, auth);
>  String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+
> "/TestService/services/TestService";
>  EndpointReference targetEPR = new EndpointReference(webServiceURL);
>
>  // Set the options
>  options.setTo(targetEPR);
>
>  // QName of the method to invoke
>  QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
>  SOAP_SERVICE_METHOD);
>
>  Object[] opGenerateUrlArguments = new Object[] { application,
>  soapAddress, applicationPort, protocol };
>
>  Class[] returnTypes = new Class[] { String.class };
>
>  Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
>  opGenerateUrlArguments, returnTypes);
>  if (response.length > 0) {
>  responseData = (String) response[0];
>  }
>   } catch (AxisFault af) {
>  ...
>   } catch (Exception e) {
>  ...
>   } finally {
>  ...
>   }
>
>
> Thanking You
> Yours Sincerely
> Avi Sanwal
>
> PS: I also created a JIRA earlier (before I read the FAQs) -
> https://issues.apache.org/jira/browse/AXIS2-5822
> PPS: I am unable to access the mailing archives to see if this concern has
> been already addressed.

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message