You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Avi Sanwal (JIRA)" <ji...@apache.org> on 2016/12/19 15:46:58 UTC
[jira] [Commented] (AXIS2-5822) Vulnerability notification for
Apache httpclient (CVE-2015-5262) - Denial of Service Vulnerability
[ https://issues.apache.org/jira/browse/AXIS2-5822?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15761508#comment-15761508 ]
Avi Sanwal commented on AXIS2-5822:
-----------------------------------
[~veithen], I would like to argue that this is indeed a bug, albeit due to an external dependency, and needs attention.
I am not re-opening the JIRA, however.
For others reference, this can be worked around by modifying axis2.xml configuration and having RPCServiceClient use it. You may need to exclude the transient dependency on older version of HTTPClient (eg, for maven this can be done with <excludes> tag in pom.xml). See [release notes of 1.7.0|http://axis.apache.org/axis2/java/core/release-notes/1.7.0.html] for more details.
> Vulnerability notification for Apache httpclient (CVE-2015-5262) - Denial of Service Vulnerability
> --------------------------------------------------------------------------------------------------
>
> Key: AXIS2-5822
> URL: https://issues.apache.org/jira/browse/AXIS2-5822
> Project: Axis2
> Issue Type: Bug
> Components: kernel, transports
> Affects Versions: 1.5.1, 1.7.4
> Reporter: Avi Sanwal
> Labels: CVE, commons-httpclient, vulnerability
>
> Hi,
> We are getting a vulnerability notification for commons-httpclient-
> *CVE ID*: CVE-2015-5262
> *References*: https://issues.apache.org/jira/browse/HTTPCLIENT-1478
> Currently, we are using Axis2 (*1.5.1*) which internally uses _commons-httpclient (3.1)_. However, the latest stable version (as of now, *1.7.4*) still employs _commons-httpclient:3.1_ by default.
> Since the reported vulnerability is present in the _commons-httpclient:3.1_ JAR,
> - What is the mitigation plan of Axis2 for this vulnerability, when can it be expected in a stable release?
> - What is the recommendation to avoid packing this JAR along with our application (client-app)?
> Note:
> * If, necessary, we can move to a newer stable version (1.7.x). But currently, it does not help us since _commons-httpclient:3.1_ still gets packed as a transient dependency.
> {code:title=Client Code snippet, for reference|theme=FadeToGrey|language=java|collapse=true}
> RPCServiceClient serviceClient = null;
> String responseUrl = null;
> try {
> // create the RPC client
> serviceClient = new RPCServiceClient();
> Options options = serviceClient.getOptions();
> // HTTP Basic Authentication
> HttpTransportProperties.Authenticator auth = new HttpTransportProperties.Authenticator();
> auth.setUsername(wsUser);
> auth.setPassword(wsPassword);
> auth.setPreemptiveAuthentication(true);
> options.setProperty(HTTPConstants.AUTHENTICATE, auth);
> String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+ "/TestService/services/TestService";
> EndpointReference targetEPR = new EndpointReference(webServiceURL);
> // Set the options
> options.setTo(targetEPR);
> // QName of the method to invoke
> QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
> SOAP_SERVICE_METHOD);
> Object[] opGenerateUrlArguments = new Object[] { application,
> soapAddress, applicationPort, protocol };
> Class[] returnTypes = new Class[] { String.class };
>
> Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
> opGenerateUrlArguments, returnTypes);
> if (response.length > 0) {
> responseData = (String) response[0];
> }
> } catch (AxisFault af) {
> ...
> } catch (Exception e) {
> ...
> } finally {
> ...
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org