axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Avi Sanwal (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AXIS2-5822) Vulnerability notification for Apache httpclient (CVE-2015-5262) - Denial of Service Vulnerability
Date Mon, 19 Dec 2016 15:46:58 GMT

    [ https://issues.apache.org/jira/browse/AXIS2-5822?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15761508#comment-15761508
] 

Avi Sanwal commented on AXIS2-5822:
-----------------------------------

[~veithen], I would like to argue that this is indeed a bug, albeit due to an external dependency,
and needs attention.
I am not re-opening the JIRA, however.

For others reference, this can be worked around by modifying axis2.xml configuration and having
RPCServiceClient use it. You may need to exclude the transient dependency on older version
of HTTPClient (eg, for maven this can be done with <excludes> tag in pom.xml). See [release
notes of 1.7.0|http://axis.apache.org/axis2/java/core/release-notes/1.7.0.html] for more details.

> Vulnerability notification for Apache httpclient (CVE-2015-5262) - Denial of Service
Vulnerability
> --------------------------------------------------------------------------------------------------
>
>                 Key: AXIS2-5822
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5822
>             Project: Axis2
>          Issue Type: Bug
>          Components: kernel, transports
>    Affects Versions: 1.5.1, 1.7.4
>            Reporter: Avi Sanwal
>              Labels: CVE, commons-httpclient, vulnerability
>
> Hi,
> We are getting a vulnerability notification for commons-httpclient-
> *CVE ID*:  CVE-2015-5262
> *References*: https://issues.apache.org/jira/browse/HTTPCLIENT-1478
> Currently, we are using Axis2 (*1.5.1*) which internally uses _commons-httpclient (3.1)_.
However, the latest stable version (as of now, *1.7.4*) still employs _commons-httpclient:3.1_
by default.
> Since the reported vulnerability is present in the _commons-httpclient:3.1_ JAR, 
>   - What is the mitigation plan of Axis2 for this vulnerability, when can it be expected
in a stable release?
>   - What is the recommendation to avoid packing this JAR along with our application (client-app)?
> Note:
>     * If, necessary, we can move to a newer stable version (1.7.x). But currently, it
does not help us since _commons-httpclient:3.1_ still gets packed as a transient dependency.
> {code:title=Client Code snippet, for reference|theme=FadeToGrey|language=java|collapse=true}
>   RPCServiceClient serviceClient = null;
>   String responseUrl = null;
>   try {
> 	  // create the RPC client
> 	  serviceClient = new RPCServiceClient();
> 	  Options options = serviceClient.getOptions();
> 	  // HTTP Basic Authentication
> 	  HttpTransportProperties.Authenticator auth = new HttpTransportProperties.Authenticator();
> 	  auth.setUsername(wsUser);
> 	  auth.setPassword(wsPassword);
> 	  auth.setPreemptiveAuthentication(true);			
> 	  options.setProperty(HTTPConstants.AUTHENTICATE, auth);
> 	  String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+ "/TestService/services/TestService";
> 	  EndpointReference targetEPR = new EndpointReference(webServiceURL);
> 	  // Set the options
> 	  options.setTo(targetEPR);
> 	  // QName of the method to invoke
> 	  QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
> 			  SOAP_SERVICE_METHOD);
> 	  Object[] opGenerateUrlArguments = new Object[] { application,
> 		  soapAddress, applicationPort, protocol };
> 	  Class[] returnTypes = new Class[] { String.class };
> 	  
> 	  Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
> 			  opGenerateUrlArguments, returnTypes);
> 	  if (response.length > 0) {
> 		  responseData = (String) response[0];
> 	  }
>   } catch (AxisFault af) {
> 	  ...
>   } catch (Exception e) {
> 	  ...
>   } finally {
> 	  ...
>   }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message