You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by "Miriam Celi (JIRA)" <ji...@apache.org> on 2016/04/13 17:27:25 UTC

[jira] [Commented] (AXIS2-5757) Version of httpclient bundled in axis2-1.7.1 is exposed to to the vulnerability CVE-2012-6153, CVE-2014-3577

    [ https://issues.apache.org/jira/browse/AXIS2-5757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15239423#comment-15239423 ] 

Miriam Celi commented on AXIS2-5757:
------------------------------------

Additional information on these vulnerabilities can be found at these links:
https://exchange.xforce.ibmcloud.com/vulnerabilities/95327
https://exchange.xforce.ibmcloud.com/vulnerabilities/95328
http://archives.neohapsis.com/archives/bugtraq/2014-08/0089.html

httpcore-4.2.1.jar and httpclient-4.2.1.jar should be upgraded to the newer GA versions available (https://hc.apache.org/downloads.cgi) and commons-httpclient-3.1.jar should be removed if possible. 

> Version of httpclient bundled in axis2-1.7.1 is exposed to  to the vulnerability CVE-2012-6153, CVE-2014-3577
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: AXIS2-5757
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5757
>             Project: Axis2
>          Issue Type: Bug
>          Components: transports
>    Affects Versions: 1.4, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1
>         Environment: Axis2 used as a Web Service Provider for an application
>            Reporter: Deepak
>            Priority: Minor
>              Labels: httpclient
>
> Version of httpclient bundled in axis2-1.7.1 is exposed to  to the vulnerability CVE-2012-6153, CVE-2014-3577
> Hi
> The version of httpclient (httpclient-4.2.1.jar) bundled with axis2-1.7.1  is susceptible to CVE-2012-6153, CVE-2014-3577 
> The Vulnerability says that the class "http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3" is vulnerability. (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153)
> What plans we have for Axis2 to address this Vulnerability. Will it be fixed in the upcoming 1.7.2 or 1.8 release or any other release. If yes, when would that be. Reason for this query is our application uses Axis2 and and hence exposed to this vulnerability. 
> Thanks,
> Regds,
> Deepak



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org