On Mon, Dec 19, 2016 at 3:35 PM, <[email protected]> wrote: > Hi Andreas, > > > > Thanks for the response. We have already followed the instructions in AXIS2 > documentations to migrate to 1.7.4. We tried with a customized > RPCServiceClient, and it picks the new HTTPClient version. However, we fear > that the below mentioned vulnerability would still be reported as Maven > transiently still packs the old version of HTTPClient (3.1). So we have > added an <excludes> clause in our dependency. > > > > This will work for now, however, it looks like a workaround-ish fix. We hope > that AXIS2 would provide a ‘default’ fix (without having users to rely on > the <excludes>) in a near future release (or a fork for backward > compatibility?).
In Axis2 1.8, HttpClient 4.x will be the default, and the two implementations of the HTTP transport will be available as two distinct Maven artifacts, effectively fixing the transitive dependency problem. > > > > Eagerly awaiting your response, > > Avi Sanwal > > > > From: Andreas Veithen > Sent: Monday, December 19, 2016 8:48 PM > To: java-dev > Subject: Re: [Axis2] Vulnerability notification for Apache > httpclient(CVE-2015-5262) - Denial of Service Vulnerability > > > > You need to switch to the HttpClient 4.x based HTTP transport as > > explained in the Axis2 1.7.0 release notes [1]. This means that you > > need to create a customized axis2.xml config file, instantiate a > > ConfigurationContext from that file and pass it to the > > RPCServiceClient (instead of letting RPCServiceClient create a default > > ConfigurationContext for you). > > > > Andreas > > > > [1] http://axis.apache.org/axis2/java/core/release-notes/1.7.0.html > > > > On Mon, Nov 28, 2016 at 11:31 AM, Avi Sanwal <[email protected]> wrote: > >> Hi, > >> > >> We are getting a vulnerability notification for commons-httpclient > >> > >> CVE ID: CVE-2015-5262 > >> References: https://issues.apache.org/jira/browse/HTTPCLIENT-1478 > >> > >> Currently, we are using Axis2 (1.5.1) which internally uses > >> commons-httpclient (3.1). However, the latest stable version (as of now, > >> 1.7.4) still employs commons-httpclient:3.1 by default. > >> Since the reported vulnerability is present in the commons-httpclient:3.1 > >> JAR, > >> > >> What is the mitigation plan of Axis2 for this vulnerability, when can it >> be > >> expected in a stable release? > >> What is the recommendation to avoid packing this JAR along with our > >> application (client-app)? > >> > >> Note: > >> > >> If, necessary, we can move to a newer stable version (1.7.x). But >> currently, > >> it does not help us since commons-httpclient:3.1 still gets packed as a > >> transient dependency. > >> > >> > >> > >> Client Code snippet, for reference > >> > >> RPCServiceClient serviceClient = null; > >> String responseUrl = null; > >> try { > >> // create the RPC client > >> serviceClient = new RPCServiceClient(); > >> Options options = serviceClient.getOptions(); > >> > >> // HTTP Basic Authentication > >> HttpTransportProperties.Authenticator auth = new > >> HttpTransportProperties.Authenticator(); > >> auth.setUsername(wsUser); > >> auth.setPassword(wsPassword); > >> auth.setPreemptiveAuthentication(true); > >> options.setProperty(HTTPConstants.AUTHENTICATE, auth); > >> String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+ > >> "/TestService/services/TestService"; > >> EndpointReference targetEPR = new EndpointReference(webServiceURL); > >> > >> // Set the options > >> options.setTo(targetEPR); > >> > >> // QName of the method to invoke > >> QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE, > >> SOAP_SERVICE_METHOD); > >> > >> Object[] opGenerateUrlArguments = new Object[] { application, > >> soapAddress, applicationPort, protocol }; > >> > >> Class[] returnTypes = new Class[] { String.class }; > >> > >> Object[] response = serviceClient.invokeBlocking(opGenerateUrl, > >> opGenerateUrlArguments, returnTypes); > >> if (response.length > 0) { > >> responseData = (String) response[0]; > >> } > >> } catch (AxisFault af) { > >> ... > >> } catch (Exception e) { > >> ... > >> } finally { > >> ... > >> } > >> > >> > >> Thanking You > >> Yours Sincerely > >> Avi Sanwal > >> > >> PS: I also created a JIRA earlier (before I read the FAQs) - > >> https://issues.apache.org/jira/browse/AXIS2-5822 > >> PPS: I am unable to access the mailing archives to see if this concern has > >> been already addressed. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
