[jira] [Reopened] (AXIS2-5757) Version of httpclient bundled in axis2-1.7.1 is exposed to to the vulnerability CVE-2012-6153, CVE-2014-3577

Tue, 17 May 2016 10:57:06 -0700 

     [ 
https://issues.apache.org/jira/browse/AXIS2-5757?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Deepak reopened AXIS2-5757:
---------------------------

Hi

As we see that in Axis2 1.7.2, we have included "httpcore.version" and 
"httpclient.version", as 4.2.5, Miriam sent an email to the HttpComponents Dev 
Team to find out if Apache HTTPclient 4.2.5 is vulnerable to CVE-2014-3577, and 
they confirmed that all 4.2 versions are vulnerable. The mail from 
HttpComponents Dev Team states that,

"All 4.2 versions are vulnerable

https://github.com/apache/httpclient/blob/4.2.x/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java";


Hence reopening the JIRA, as we still have the vulnerability 
"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577"; not resolved

Regds,
Deepak

> Version of httpclient bundled in axis2-1.7.1 is exposed to  to the 
> vulnerability CVE-2012-6153, CVE-2014-3577
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: AXIS2-5757
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5757
>             Project: Axis2
>          Issue Type: Bug
>          Components: transports
>    Affects Versions: 1.4, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1
>         Environment: Axis2 used as a Web Service Provider for an application
>            Reporter: Deepak
>            Priority: Minor
>              Labels: httpclient
>             Fix For: 1.7.2
>
>
> Version of httpclient bundled in axis2-1.7.1 is exposed to  to the 
> vulnerability CVE-2012-6153, CVE-2014-3577
> Hi
> The version of httpclient (httpclient-4.2.1.jar) bundled with axis2-1.7.1  is 
> susceptible to CVE-2012-6153, CVE-2014-3577 
> The Vulnerability says that the class "http/conn/ssl/AbstractVerifier.java in 
> Apache Commons HttpClient before 4.2.3" is vulnerability. 
> (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153)
> What plans we have for Axis2 to address this Vulnerability. Will it be fixed 
> in the upcoming 1.7.2 or 1.8 release or any other release. If yes, when would 
> that be. Reason for this query is our application uses Axis2 and and hence 
> exposed to this vulnerability. 
> Thanks,
> Regds,
> Deepak



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to