Hi Andreas, Thanks for the response. We have already followed the instructions in AXIS2 documentations to migrate to 1.7.4. We tried with a customized RPCServiceClient, and it picks the new HTTPClient version. However, we fear that the below mentioned vulnerability would still be reported as Maven transiently still packs the old version of HTTPClient (3.1). So we have added an <excludes> clause in our dependency.
This will work for now, however, it looks like a workaround-ish fix. We hope that AXIS2 would provide a ‘default’ fix (without having users to rely on the <excludes>) in a near future release (or a fork for backward compatibility?). Eagerly awaiting your response, Avi Sanwal From: Andreas Veithen Sent: Monday, December 19, 2016 8:48 PM To: java-dev Subject: Re: [Axis2] Vulnerability notification for Apache httpclient(CVE-2015-5262) - Denial of Service Vulnerability You need to switch to the HttpClient 4.x based HTTP transport as explained in the Axis2 1.7.0 release notes [1]. This means that you need to create a customized axis2.xml config file, instantiate a ConfigurationContext from that file and pass it to the RPCServiceClient (instead of letting RPCServiceClient create a default ConfigurationContext for you). Andreas [1] http://axis.apache.org/axis2/java/core/release-notes/1.7.0.html On Mon, Nov 28, 2016 at 11:31 AM, Avi Sanwal <[email protected]> wrote: > Hi, > > We are getting a vulnerability notification for commons-httpclient > > CVE ID: CVE-2015-5262 > References: https://issues.apache.org/jira/browse/HTTPCLIENT-1478 > > Currently, we are using Axis2 (1.5.1) which internally uses > commons-httpclient (3.1). However, the latest stable version (as of now, > 1.7.4) still employs commons-httpclient:3.1 by default. > Since the reported vulnerability is present in the commons-httpclient:3.1 > JAR, > > What is the mitigation plan of Axis2 for this vulnerability, when can it be > expected in a stable release? > What is the recommendation to avoid packing this JAR along with our > application (client-app)? > > Note: > > If, necessary, we can move to a newer stable version (1.7.x). But currently, > it does not help us since commons-httpclient:3.1 still gets packed as a > transient dependency. > > > > Client Code snippet, for reference > > RPCServiceClient serviceClient = null; > String responseUrl = null; > try { > // create the RPC client > serviceClient = new RPCServiceClient(); > Options options = serviceClient.getOptions(); > > // HTTP Basic Authentication > HttpTransportProperties.Authenticator auth = new > HttpTransportProperties.Authenticator(); > auth.setUsername(wsUser); > auth.setPassword(wsPassword); > auth.setPreemptiveAuthentication(true); > options.setProperty(HTTPConstants.AUTHENTICATE, auth); > String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+ > "/TestService/services/TestService"; > EndpointReference targetEPR = new EndpointReference(webServiceURL); > > // Set the options > options.setTo(targetEPR); > > // QName of the method to invoke > QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE, > SOAP_SERVICE_METHOD); > > Object[] opGenerateUrlArguments = new Object[] { application, > soapAddress, applicationPort, protocol }; > > Class[] returnTypes = new Class[] { String.class }; > > Object[] response = serviceClient.invokeBlocking(opGenerateUrl, > opGenerateUrlArguments, returnTypes); > if (response.length > 0) { > responseData = (String) response[0]; > } > } catch (AxisFault af) { > ... > } catch (Exception e) { > ... > } finally { > ... > } > > > Thanking You > Yours Sincerely > Avi Sanwal > > PS: I also created a JIRA earlier (before I read the FAQs) - > https://issues.apache.org/jira/browse/AXIS2-5822 > PPS: I am unable to access the mailing archives to see if this concern has > been already addressed. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
