[
https://issues.apache.org/jira/browse/AXIS2-5757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15299616#comment-15299616
]
Thamarai commented on AXIS2-5757:
---------------------------------
Hi All,
We are in the process of upgrading the axis2 to ver 1.7.1.
The release notes of Axis2 1.7.0 says that "Axis2 1.7.0 supports Apache
HttpClient 4.x in addition to the no longer maintained Commons HttpClient 3.x"
So we upgraded the http client to HttpClient 4.4.1. But
axis2-transport-http-1.7.1 still has some reference with
commons-httpclient-3.13.1.
1) First we removed commons-httpclient-3.1 and tested. we got the erorr as
org.apache.commons.httpclient.HttpClient.HTTPMethod is not found.
2) So we added commons-httpclient-3.1 (in addition to 4.4.1 http client) and
tested and the error thorwn as below.
org.apache.http.impl.client.InternalHttpClient incompatible with
org.apache.commons.httpclient.HttpClient
org.apache.axis2.transport.http.impl.httpclient3.HTTPSenderImpl.getHttpClient(HTTPSenderImpl.java:813)
org.apache.axis2.transport.http.impl.httpclient3.HTTPSenderImpl.sendViaPost(HTTPSenderImpl.java:176)
org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:121)
org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:403)
org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:234)
org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:431)
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:399)
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
org.apache.axis2.client.OperationClient.execute(OperationClient.java:150)
ws.sq.com.sg.common.helper.MWServiceHelper.doSoapCallWithAttachment(MWServiceHelper.java:176)
ws.sq.com.sg.common.helper.ERetailHelper.callERetail(ERetailHelper.java:115)
ws.sq.com.sg.res.ecommerce.common.ERetailComponentImpl.callERetail(ERetailComponentImpl.java:114)
ws.sq.com.sg.res.ecommerce.air.AirServiceImpl.callERetail(AirServiceImpl.java:90)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
java.lang.reflect.Method.invoke(Method.java:613)
com.tibco.amf.platform.runtime.componentframework.internal.proxies.operation.OperationHandler.invokeMethodWithThreadContext(OperationHandler.java:486)
com.tibco.amf.platform.runtime.componentframework.internal.proxies.operation.MultiThreadedASyncToSyncOperationHandler$ASyncToSyncInvocationHandler.run(MultiThreadedASyncToSyncOperationHandler.java:203)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1121)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:614)
java.lang.Thread.run(Thread.java:779)</es:ErrorStackTrace>
Either way adding commons-httpclient-3.1 or removing commons-httpclient-3.1 is
giving us the issue since axis2-transport-http-1.7.1 has reference to
commons-httpclient-3.1.
Could you give us the upgrade steps if we missed anything or any fix to resolve
this?
> Version of httpclient bundled in axis2-1.7.1 is exposed to to the
> vulnerability CVE-2012-6153, CVE-2014-3577
> -------------------------------------------------------------------------------------------------------------
>
> Key: AXIS2-5757
> URL: https://issues.apache.org/jira/browse/AXIS2-5757
> Project: Axis2
> Issue Type: Bug
> Components: transports
> Affects Versions: 1.4, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1
> Environment: Axis2 used as a Web Service Provider for an application
> Reporter: Deepak
> Labels: httpclient
> Fix For: 1.7.2
>
>
> Version of httpclient bundled in axis2-1.7.1 is exposed to to the
> vulnerability CVE-2012-6153, CVE-2014-3577
> Hi
> The version of httpclient (httpclient-4.2.1.jar) bundled with axis2-1.7.1 is
> susceptible to CVE-2012-6153, CVE-2014-3577
> The Vulnerability says that the class "http/conn/ssl/AbstractVerifier.java in
> Apache Commons HttpClient before 4.2.3" is vulnerability.
> (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153)
> What plans we have for Axis2 to address this Vulnerability. Will it be fixed
> in the upcoming 1.7.2 or 1.8 release or any other release. If yes, when would
> that be. Reason for this query is our application uses Axis2 and and hence
> exposed to this vulnerability.
> Thanks,
> Regds,
> Deepak
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
