[jira] [Created] (AXIS2-5822) Vulnerability notification for Apache httpclient (CVE-2015-5262) - Denial of Service Vulnerability

Fri, 25 Nov 2016 07:30:23 -0800 

Avi Sanwal created AXIS2-5822:
---------------------------------

             Summary: Vulnerability notification for Apache httpclient 
(CVE-2015-5262) - Denial of Service Vulnerability
                 Key: AXIS2-5822
                 URL: https://issues.apache.org/jira/browse/AXIS2-5822
             Project: Axis2
          Issue Type: Bug
          Components: kernel, transports
    Affects Versions: 1.7.4, 1.5.1
            Reporter: Avi Sanwal


Hi,

We are getting a vulnerability notification for Apache httpclient-

*CVE ID*:  CVE-2015-5262
*Vulnerability Name*: Apache HttpClient = 4.3.3 - Denial of Service 
Vulnerability - 4.3.4
*References*: https://issues.apache.org/jira/browse/HTTPCLIENT-1478


Currently, we are using Axis2 (*1.5.1*) which internally uses 
_commons-httpclient (3.1)_. However, the latest stable version (as of now, 
*1.7.4*) still employs _commons-httpclient:3.1_ by default.
Since the reported vulnerability is present in the _commons-httpclient:3.1_ 
JAR, 
  - What is the mitigation plan of Axis 2 for this vulnerability, when can it 
be expected in a stable release?
  - What is the recommendation to avoid packing this JAR along with our 
application (client-app)?

Note:
    * If, necessary, we can move to a newer stable version (1.7.x). But 
currently, it does not help us since _commons-httpclient:3.1_ still gets packed 
as a transient dependency.


{code:title=Client Code snippet, for 
reference|theme=FadeToGrey|language=java|collapse=true}
  RPCServiceClient serviceClient = null;
  String responseUrl = null;
  try {
          // create the RPC client
          serviceClient = new RPCServiceClient();
          Options options = serviceClient.getOptions();

          // HTTP Basic Authentication
          HttpTransportProperties.Authenticator auth = new 
HttpTransportProperties.Authenticator();
          auth.setUsername(wsUser);
          auth.setPassword(wsPassword);
          auth.setPreemptiveAuthentication(true);                       
          options.setProperty(HTTPConstants.AUTHENTICATE, auth);
          String webServiceURL = protocol + "://"+ soapAddress + ":" + 
soapPort+ "/TestService/services/TestService";
          EndpointReference targetEPR = new EndpointReference(webServiceURL);

          // Set the options
          options.setTo(targetEPR);

          // QName of the method to invoke
          QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
                          SOAP_SERVICE_METHOD);

          Object[] opGenerateUrlArguments = new Object[] { application,
                  soapAddress, applicationPort, protocol };

          Class[] returnTypes = new Class[] { String.class };
          
          Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
                          opGenerateUrlArguments, returnTypes);
          if (response.length > 0) {
                  responseData = (String) response[0];
          }
  } catch (AxisFault af) {
          ...
  } catch (Exception e) {
          ...
  } finally {
          ...
  }
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to