Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 5C75B200BE1 for ; Mon, 19 Dec 2016 16:47:00 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 5B1B2160B37; Mon, 19 Dec 2016 15:47:00 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id A57F4160B30 for ; Mon, 19 Dec 2016 16:46:59 +0100 (CET) Received: (qmail 18246 invoked by uid 500); 19 Dec 2016 15:46:58 -0000 Mailing-List: contact java-dev-help@axis.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: java-dev@axis.apache.org Delivered-To: mailing list java-dev@axis.apache.org Received: (qmail 18214 invoked by uid 99); 19 Dec 2016 15:46:58 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 19 Dec 2016 15:46:58 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 939432C03E8 for ; Mon, 19 Dec 2016 15:46:58 +0000 (UTC) Date: Mon, 19 Dec 2016 15:46:58 +0000 (UTC) From: "Avi Sanwal (JIRA)" To: java-dev@axis.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (AXIS2-5822) Vulnerability notification for Apache httpclient (CVE-2015-5262) - Denial of Service Vulnerability MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Mon, 19 Dec 2016 15:47:00 -0000 [ https://issues.apache.org/jira/browse/AXIS2-5822?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15761508#comment-15761508 ] Avi Sanwal commented on AXIS2-5822: ----------------------------------- [~veithen], I would like to argue that this is indeed a bug, albeit due to an external dependency, and needs attention. I am not re-opening the JIRA, however. For others reference, this can be worked around by modifying axis2.xml configuration and having RPCServiceClient use it. You may need to exclude the transient dependency on older version of HTTPClient (eg, for maven this can be done with tag in pom.xml). See [release notes of 1.7.0|http://axis.apache.org/axis2/java/core/release-notes/1.7.0.html] for more details. > Vulnerability notification for Apache httpclient (CVE-2015-5262) - Denial of Service Vulnerability > -------------------------------------------------------------------------------------------------- > > Key: AXIS2-5822 > URL: https://issues.apache.org/jira/browse/AXIS2-5822 > Project: Axis2 > Issue Type: Bug > Components: kernel, transports > Affects Versions: 1.5.1, 1.7.4 > Reporter: Avi Sanwal > Labels: CVE, commons-httpclient, vulnerability > > Hi, > We are getting a vulnerability notification for commons-httpclient- > *CVE ID*: CVE-2015-5262 > *References*: https://issues.apache.org/jira/browse/HTTPCLIENT-1478 > Currently, we are using Axis2 (*1.5.1*) which internally uses _commons-httpclient (3.1)_. However, the latest stable version (as of now, *1.7.4*) still employs _commons-httpclient:3.1_ by default. > Since the reported vulnerability is present in the _commons-httpclient:3.1_ JAR, > - What is the mitigation plan of Axis2 for this vulnerability, when can it be expected in a stable release? > - What is the recommendation to avoid packing this JAR along with our application (client-app)? > Note: > * If, necessary, we can move to a newer stable version (1.7.x). But currently, it does not help us since _commons-httpclient:3.1_ still gets packed as a transient dependency. > {code:title=Client Code snippet, for reference|theme=FadeToGrey|language=java|collapse=true} > RPCServiceClient serviceClient = null; > String responseUrl = null; > try { > // create the RPC client > serviceClient = new RPCServiceClient(); > Options options = serviceClient.getOptions(); > // HTTP Basic Authentication > HttpTransportProperties.Authenticator auth = new HttpTransportProperties.Authenticator(); > auth.setUsername(wsUser); > auth.setPassword(wsPassword); > auth.setPreemptiveAuthentication(true); > options.setProperty(HTTPConstants.AUTHENTICATE, auth); > String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+ "/TestService/services/TestService"; > EndpointReference targetEPR = new EndpointReference(webServiceURL); > // Set the options > options.setTo(targetEPR); > // QName of the method to invoke > QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE, > SOAP_SERVICE_METHOD); > Object[] opGenerateUrlArguments = new Object[] { application, > soapAddress, applicationPort, protocol }; > Class[] returnTypes = new Class[] { String.class }; > > Object[] response = serviceClient.invokeBlocking(opGenerateUrl, > opGenerateUrlArguments, returnTypes); > if (response.length > 0) { > responseData = (String) response[0]; > } > } catch (AxisFault af) { > ... > } catch (Exception e) { > ... > } finally { > ... > } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org For additional commands, e-mail: java-dev-help@axis.apache.org