You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by Andreas Veithen <an...@gmail.com> on 2016/12/19 15:18:29 UTC
Re: [Axis2] Vulnerability notification for Apache httpclient
(CVE-2015-5262) - Denial of Service Vulnerability
You need to switch to the HttpClient 4.x based HTTP transport as
explained in the Axis2 1.7.0 release notes [1]. This means that you
need to create a customized axis2.xml config file, instantiate a
ConfigurationContext from that file and pass it to the
RPCServiceClient (instead of letting RPCServiceClient create a default
ConfigurationContext for you).
Andreas
[1] http://axis.apache.org/axis2/java/core/release-notes/1.7.0.html
On Mon, Nov 28, 2016 at 11:31 AM, Avi Sanwal <av...@gmail.com> wrote:
> Hi,
>
> We are getting a vulnerability notification for commons-httpclient
>
> CVE ID: CVE-2015-5262
> References: https://issues.apache.org/jira/browse/HTTPCLIENT-1478
>
> Currently, we are using Axis2 (1.5.1) which internally uses
> commons-httpclient (3.1). However, the latest stable version (as of now,
> 1.7.4) still employs commons-httpclient:3.1 by default.
> Since the reported vulnerability is present in the commons-httpclient:3.1
> JAR,
>
> What is the mitigation plan of Axis2 for this vulnerability, when can it be
> expected in a stable release?
> What is the recommendation to avoid packing this JAR along with our
> application (client-app)?
>
> Note:
>
> If, necessary, we can move to a newer stable version (1.7.x). But currently,
> it does not help us since commons-httpclient:3.1 still gets packed as a
> transient dependency.
>
>
>
> Client Code snippet, for reference
>
> RPCServiceClient serviceClient = null;
> String responseUrl = null;
> try {
> // create the RPC client
> serviceClient = new RPCServiceClient();
> Options options = serviceClient.getOptions();
>
> // HTTP Basic Authentication
> HttpTransportProperties.Authenticator auth = new
> HttpTransportProperties.Authenticator();
> auth.setUsername(wsUser);
> auth.setPassword(wsPassword);
> auth.setPreemptiveAuthentication(true);
> options.setProperty(HTTPConstants.AUTHENTICATE, auth);
> String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+
> "/TestService/services/TestService";
> EndpointReference targetEPR = new EndpointReference(webServiceURL);
>
> // Set the options
> options.setTo(targetEPR);
>
> // QName of the method to invoke
> QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
> SOAP_SERVICE_METHOD);
>
> Object[] opGenerateUrlArguments = new Object[] { application,
> soapAddress, applicationPort, protocol };
>
> Class[] returnTypes = new Class[] { String.class };
>
> Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
> opGenerateUrlArguments, returnTypes);
> if (response.length > 0) {
> responseData = (String) response[0];
> }
> } catch (AxisFault af) {
> ...
> } catch (Exception e) {
> ...
> } finally {
> ...
> }
>
>
> Thanking You
> Yours Sincerely
> Avi Sanwal
>
> PS: I also created a JIRA earlier (before I read the FAQs) -
> https://issues.apache.org/jira/browse/AXIS2-5822
> PPS: I am unable to access the mailing archives to see if this concern has
> been already addressed.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
Re: [Axis2] Vulnerability notification for Apache httpclient(CVE-2015-5262)
- Denial of Service Vulnerability
Posted by Andreas Veithen <an...@gmail.com>.
On Mon, Dec 19, 2016 at 3:35 PM, <av...@gmail.com> wrote:
> Hi Andreas,
>
>
>
> Thanks for the response. We have already followed the instructions in AXIS2
> documentations to migrate to 1.7.4. We tried with a customized
> RPCServiceClient, and it picks the new HTTPClient version. However, we fear
> that the below mentioned vulnerability would still be reported as Maven
> transiently still packs the old version of HTTPClient (3.1). So we have
> added an <excludes> clause in our dependency.
>
>
>
> This will work for now, however, it looks like a workaround-ish fix. We hope
> that AXIS2 would provide a ‘default’ fix (without having users to rely on
> the <excludes>) in a near future release (or a fork for backward
> compatibility?).
In Axis2 1.8, HttpClient 4.x will be the default, and the two
implementations of the HTTP transport will be available as two
distinct Maven artifacts, effectively fixing the transitive dependency
problem.
>
>
>
> Eagerly awaiting your response,
>
> Avi Sanwal
>
>
>
> From: Andreas Veithen
> Sent: Monday, December 19, 2016 8:48 PM
> To: java-dev
> Subject: Re: [Axis2] Vulnerability notification for Apache
> httpclient(CVE-2015-5262) - Denial of Service Vulnerability
>
>
>
> You need to switch to the HttpClient 4.x based HTTP transport as
>
> explained in the Axis2 1.7.0 release notes [1]. This means that you
>
> need to create a customized axis2.xml config file, instantiate a
>
> ConfigurationContext from that file and pass it to the
>
> RPCServiceClient (instead of letting RPCServiceClient create a default
>
> ConfigurationContext for you).
>
>
>
> Andreas
>
>
>
> [1] http://axis.apache.org/axis2/java/core/release-notes/1.7.0.html
>
>
>
> On Mon, Nov 28, 2016 at 11:31 AM, Avi Sanwal <av...@gmail.com> wrote:
>
>> Hi,
>
>>
>
>> We are getting a vulnerability notification for commons-httpclient
>
>>
>
>> CVE ID: CVE-2015-5262
>
>> References: https://issues.apache.org/jira/browse/HTTPCLIENT-1478
>
>>
>
>> Currently, we are using Axis2 (1.5.1) which internally uses
>
>> commons-httpclient (3.1). However, the latest stable version (as of now,
>
>> 1.7.4) still employs commons-httpclient:3.1 by default.
>
>> Since the reported vulnerability is present in the commons-httpclient:3.1
>
>> JAR,
>
>>
>
>> What is the mitigation plan of Axis2 for this vulnerability, when can it
>> be
>
>> expected in a stable release?
>
>> What is the recommendation to avoid packing this JAR along with our
>
>> application (client-app)?
>
>>
>
>> Note:
>
>>
>
>> If, necessary, we can move to a newer stable version (1.7.x). But
>> currently,
>
>> it does not help us since commons-httpclient:3.1 still gets packed as a
>
>> transient dependency.
>
>>
>
>>
>
>>
>
>> Client Code snippet, for reference
>
>>
>
>> RPCServiceClient serviceClient = null;
>
>> String responseUrl = null;
>
>> try {
>
>> // create the RPC client
>
>> serviceClient = new RPCServiceClient();
>
>> Options options = serviceClient.getOptions();
>
>>
>
>> // HTTP Basic Authentication
>
>> HttpTransportProperties.Authenticator auth = new
>
>> HttpTransportProperties.Authenticator();
>
>> auth.setUsername(wsUser);
>
>> auth.setPassword(wsPassword);
>
>> auth.setPreemptiveAuthentication(true);
>
>> options.setProperty(HTTPConstants.AUTHENTICATE, auth);
>
>> String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+
>
>> "/TestService/services/TestService";
>
>> EndpointReference targetEPR = new EndpointReference(webServiceURL);
>
>>
>
>> // Set the options
>
>> options.setTo(targetEPR);
>
>>
>
>> // QName of the method to invoke
>
>> QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
>
>> SOAP_SERVICE_METHOD);
>
>>
>
>> Object[] opGenerateUrlArguments = new Object[] { application,
>
>> soapAddress, applicationPort, protocol };
>
>>
>
>> Class[] returnTypes = new Class[] { String.class };
>
>>
>
>> Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
>
>> opGenerateUrlArguments, returnTypes);
>
>> if (response.length > 0) {
>
>> responseData = (String) response[0];
>
>> }
>
>> } catch (AxisFault af) {
>
>> ...
>
>> } catch (Exception e) {
>
>> ...
>
>> } finally {
>
>> ...
>
>> }
>
>>
>
>>
>
>> Thanking You
>
>> Yours Sincerely
>
>> Avi Sanwal
>
>>
>
>> PS: I also created a JIRA earlier (before I read the FAQs) -
>
>> https://issues.apache.org/jira/browse/AXIS2-5822
>
>> PPS: I am unable to access the mailing archives to see if this concern has
>
>> been already addressed.
>
>
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
>
> For additional commands, e-mail: java-dev-help@axis.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
RE: [Axis2] Vulnerability notification for Apache
httpclient(CVE-2015-5262) - Denial of Service Vulnerability
Posted by av...@gmail.com.
Hi Andreas,
Thanks for the response. We have already followed the instructions in AXIS2 documentations to migrate to 1.7.4. We tried with a customized RPCServiceClient, and it picks the new HTTPClient version. However, we fear that the below mentioned vulnerability would still be reported as Maven transiently still packs the old version of HTTPClient (3.1). So we have added an <excludes> clause in our dependency.
This will work for now, however, it looks like a workaround-ish fix. We hope that AXIS2 would provide a ‘default’ fix (without having users to rely on the <excludes>) in a near future release (or a fork for backward compatibility?).
Eagerly awaiting your response,
Avi Sanwal
From: Andreas Veithen
Sent: Monday, December 19, 2016 8:48 PM
To: java-dev
Subject: Re: [Axis2] Vulnerability notification for Apache httpclient(CVE-2015-5262) - Denial of Service Vulnerability
You need to switch to the HttpClient 4.x based HTTP transport as
explained in the Axis2 1.7.0 release notes [1]. This means that you
need to create a customized axis2.xml config file, instantiate a
ConfigurationContext from that file and pass it to the
RPCServiceClient (instead of letting RPCServiceClient create a default
ConfigurationContext for you).
Andreas
[1] http://axis.apache.org/axis2/java/core/release-notes/1.7.0.html
On Mon, Nov 28, 2016 at 11:31 AM, Avi Sanwal <av...@gmail.com> wrote:
> Hi,
>
> We are getting a vulnerability notification for commons-httpclient
>
> CVE ID: CVE-2015-5262
> References: https://issues.apache.org/jira/browse/HTTPCLIENT-1478
>
> Currently, we are using Axis2 (1.5.1) which internally uses
> commons-httpclient (3.1). However, the latest stable version (as of now,
> 1.7.4) still employs commons-httpclient:3.1 by default.
> Since the reported vulnerability is present in the commons-httpclient:3.1
> JAR,
>
> What is the mitigation plan of Axis2 for this vulnerability, when can it be
> expected in a stable release?
> What is the recommendation to avoid packing this JAR along with our
> application (client-app)?
>
> Note:
>
> If, necessary, we can move to a newer stable version (1.7.x). But currently,
> it does not help us since commons-httpclient:3.1 still gets packed as a
> transient dependency.
>
>
>
> Client Code snippet, for reference
>
> RPCServiceClient serviceClient = null;
> String responseUrl = null;
> try {
> // create the RPC client
> serviceClient = new RPCServiceClient();
> Options options = serviceClient.getOptions();
>
> // HTTP Basic Authentication
> HttpTransportProperties.Authenticator auth = new
> HttpTransportProperties.Authenticator();
> auth.setUsername(wsUser);
> auth.setPassword(wsPassword);
> auth.setPreemptiveAuthentication(true);
> options.setProperty(HTTPConstants.AUTHENTICATE, auth);
> String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+
> "/TestService/services/TestService";
> EndpointReference targetEPR = new EndpointReference(webServiceURL);
>
> // Set the options
> options.setTo(targetEPR);
>
> // QName of the method to invoke
> QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
> SOAP_SERVICE_METHOD);
>
> Object[] opGenerateUrlArguments = new Object[] { application,
> soapAddress, applicationPort, protocol };
>
> Class[] returnTypes = new Class[] { String.class };
>
> Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
> opGenerateUrlArguments, returnTypes);
> if (response.length > 0) {
> responseData = (String) response[0];
> }
> } catch (AxisFault af) {
> ...
> } catch (Exception e) {
> ...
> } finally {
> ...
> }
>
>
> Thanking You
> Yours Sincerely
> Avi Sanwal
>
> PS: I also created a JIRA earlier (before I read the FAQs) -
> https://issues.apache.org/jira/browse/AXIS2-5822
> PPS: I am unable to access the mailing archives to see if this concern has
> been already addressed.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org