You need to switch to the HttpClient 4.x based HTTP transport as explained in the Axis2 1.7.0 release notes [1]. This means that you need to create a customized axis2.xml config file, instantiate a ConfigurationContext from that file and pass it to the RPCServiceClient (instead of letting RPCServiceClient create a default ConfigurationContext for you).
Andreas [1] http://axis.apache.org/axis2/java/core/release-notes/1.7.0.html On Mon, Nov 28, 2016 at 11:31 AM, Avi Sanwal <[email protected]> wrote: > Hi, > > We are getting a vulnerability notification for commons-httpclient > > CVE ID: CVE-2015-5262 > References: https://issues.apache.org/jira/browse/HTTPCLIENT-1478 > > Currently, we are using Axis2 (1.5.1) which internally uses > commons-httpclient (3.1). However, the latest stable version (as of now, > 1.7.4) still employs commons-httpclient:3.1 by default. > Since the reported vulnerability is present in the commons-httpclient:3.1 > JAR, > > What is the mitigation plan of Axis2 for this vulnerability, when can it be > expected in a stable release? > What is the recommendation to avoid packing this JAR along with our > application (client-app)? > > Note: > > If, necessary, we can move to a newer stable version (1.7.x). But currently, > it does not help us since commons-httpclient:3.1 still gets packed as a > transient dependency. > > > > Client Code snippet, for reference > > RPCServiceClient serviceClient = null; > String responseUrl = null; > try { > // create the RPC client > serviceClient = new RPCServiceClient(); > Options options = serviceClient.getOptions(); > > // HTTP Basic Authentication > HttpTransportProperties.Authenticator auth = new > HttpTransportProperties.Authenticator(); > auth.setUsername(wsUser); > auth.setPassword(wsPassword); > auth.setPreemptiveAuthentication(true); > options.setProperty(HTTPConstants.AUTHENTICATE, auth); > String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+ > "/TestService/services/TestService"; > EndpointReference targetEPR = new EndpointReference(webServiceURL); > > // Set the options > options.setTo(targetEPR); > > // QName of the method to invoke > QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE, > SOAP_SERVICE_METHOD); > > Object[] opGenerateUrlArguments = new Object[] { application, > soapAddress, applicationPort, protocol }; > > Class[] returnTypes = new Class[] { String.class }; > > Object[] response = serviceClient.invokeBlocking(opGenerateUrl, > opGenerateUrlArguments, returnTypes); > if (response.length > 0) { > responseData = (String) response[0]; > } > } catch (AxisFault af) { > ... > } catch (Exception e) { > ... > } finally { > ... > } > > > Thanking You > Yours Sincerely > Avi Sanwal > > PS: I also created a JIRA earlier (before I read the FAQs) - > https://issues.apache.org/jira/browse/AXIS2-5822 > PPS: I am unable to access the mailing archives to see if this concern has > been already addressed. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
