[
https://issues.apache.org/jira/browse/AXIS2-5822?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Avi Sanwal updated AXIS2-5822:
------------------------------
Description:
Hi,
We are getting a vulnerability notification for commons-httpclient-
*CVE ID*: CVE-2015-5262
*References*: https://issues.apache.org/jira/browse/HTTPCLIENT-1478
Currently, we are using Axis2 (*1.5.1*) which internally uses
_commons-httpclient (3.1)_. However, the latest stable version (as of now,
*1.7.4*) still employs _commons-httpclient:3.1_ by default.
Since the reported vulnerability is present in the _commons-httpclient:3.1_
JAR,
- What is the mitigation plan of Axis2 for this vulnerability, when can it be
expected in a stable release?
- What is the recommendation to avoid packing this JAR along with our
application (client-app)?
Note:
* If, necessary, we can move to a newer stable version (1.7.x). But
currently, it does not help us since _commons-httpclient:3.1_ still gets packed
as a transient dependency.
{code:title=Client Code snippet, for
reference|theme=FadeToGrey|language=java|collapse=true}
RPCServiceClient serviceClient = null;
String responseUrl = null;
try {
// create the RPC client
serviceClient = new RPCServiceClient();
Options options = serviceClient.getOptions();
// HTTP Basic Authentication
HttpTransportProperties.Authenticator auth = new
HttpTransportProperties.Authenticator();
auth.setUsername(wsUser);
auth.setPassword(wsPassword);
auth.setPreemptiveAuthentication(true);
options.setProperty(HTTPConstants.AUTHENTICATE, auth);
String webServiceURL = protocol + "://"+ soapAddress + ":" +
soapPort+ "/TestService/services/TestService";
EndpointReference targetEPR = new EndpointReference(webServiceURL);
// Set the options
options.setTo(targetEPR);
// QName of the method to invoke
QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
SOAP_SERVICE_METHOD);
Object[] opGenerateUrlArguments = new Object[] { application,
soapAddress, applicationPort, protocol };
Class[] returnTypes = new Class[] { String.class };
Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
opGenerateUrlArguments, returnTypes);
if (response.length > 0) {
responseData = (String) response[0];
}
} catch (AxisFault af) {
...
} catch (Exception e) {
...
} finally {
...
}
{code}
was:
Hi,
We are getting a vulnerability notification for Apache httpclient-
*CVE ID*: CVE-2015-5262
*Vulnerability Name*: Apache HttpClient = 4.3.3 - Denial of Service
Vulnerability - 4.3.4
*References*: https://issues.apache.org/jira/browse/HTTPCLIENT-1478
Currently, we are using Axis2 (*1.5.1*) which internally uses
_commons-httpclient (3.1)_. However, the latest stable version (as of now,
*1.7.4*) still employs _commons-httpclient:3.1_ by default.
Since the reported vulnerability is present in the _commons-httpclient:3.1_
JAR,
- What is the mitigation plan of Axis2 for this vulnerability, when can it be
expected in a stable release?
- What is the recommendation to avoid packing this JAR along with our
application (client-app)?
Note:
* If, necessary, we can move to a newer stable version (1.7.x). But
currently, it does not help us since _commons-httpclient:3.1_ still gets packed
as a transient dependency.
{code:title=Client Code snippet, for
reference|theme=FadeToGrey|language=java|collapse=true}
RPCServiceClient serviceClient = null;
String responseUrl = null;
try {
// create the RPC client
serviceClient = new RPCServiceClient();
Options options = serviceClient.getOptions();
// HTTP Basic Authentication
HttpTransportProperties.Authenticator auth = new
HttpTransportProperties.Authenticator();
auth.setUsername(wsUser);
auth.setPassword(wsPassword);
auth.setPreemptiveAuthentication(true);
options.setProperty(HTTPConstants.AUTHENTICATE, auth);
String webServiceURL = protocol + "://"+ soapAddress + ":" +
soapPort+ "/TestService/services/TestService";
EndpointReference targetEPR = new EndpointReference(webServiceURL);
// Set the options
options.setTo(targetEPR);
// QName of the method to invoke
QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
SOAP_SERVICE_METHOD);
Object[] opGenerateUrlArguments = new Object[] { application,
soapAddress, applicationPort, protocol };
Class[] returnTypes = new Class[] { String.class };
Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
opGenerateUrlArguments, returnTypes);
if (response.length > 0) {
responseData = (String) response[0];
}
} catch (AxisFault af) {
...
} catch (Exception e) {
...
} finally {
...
}
{code}
> Vulnerability notification for Apache httpclient (CVE-2015-5262) - Denial of
> Service Vulnerability
> --------------------------------------------------------------------------------------------------
>
> Key: AXIS2-5822
> URL: https://issues.apache.org/jira/browse/AXIS2-5822
> Project: Axis2
> Issue Type: Bug
> Components: kernel, transports
> Affects Versions: 1.5.1, 1.7.4
> Reporter: Avi Sanwal
> Labels: CVE, commons-httpclient, vulnerability
>
> Hi,
> We are getting a vulnerability notification for commons-httpclient-
> *CVE ID*: CVE-2015-5262
> *References*: https://issues.apache.org/jira/browse/HTTPCLIENT-1478
> Currently, we are using Axis2 (*1.5.1*) which internally uses
> _commons-httpclient (3.1)_. However, the latest stable version (as of now,
> *1.7.4*) still employs _commons-httpclient:3.1_ by default.
> Since the reported vulnerability is present in the _commons-httpclient:3.1_
> JAR,
> - What is the mitigation plan of Axis2 for this vulnerability, when can it
> be expected in a stable release?
> - What is the recommendation to avoid packing this JAR along with our
> application (client-app)?
> Note:
> * If, necessary, we can move to a newer stable version (1.7.x). But
> currently, it does not help us since _commons-httpclient:3.1_ still gets
> packed as a transient dependency.
> {code:title=Client Code snippet, for
> reference|theme=FadeToGrey|language=java|collapse=true}
> RPCServiceClient serviceClient = null;
> String responseUrl = null;
> try {
> // create the RPC client
> serviceClient = new RPCServiceClient();
> Options options = serviceClient.getOptions();
> // HTTP Basic Authentication
> HttpTransportProperties.Authenticator auth = new
> HttpTransportProperties.Authenticator();
> auth.setUsername(wsUser);
> auth.setPassword(wsPassword);
> auth.setPreemptiveAuthentication(true);
> options.setProperty(HTTPConstants.AUTHENTICATE, auth);
> String webServiceURL = protocol + "://"+ soapAddress + ":" +
> soapPort+ "/TestService/services/TestService";
> EndpointReference targetEPR = new EndpointReference(webServiceURL);
> // Set the options
> options.setTo(targetEPR);
> // QName of the method to invoke
> QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
> SOAP_SERVICE_METHOD);
> Object[] opGenerateUrlArguments = new Object[] { application,
> soapAddress, applicationPort, protocol };
> Class[] returnTypes = new Class[] { String.class };
>
> Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
> opGenerateUrlArguments, returnTypes);
> if (response.length > 0) {
> responseData = (String) response[0];
> }
> } catch (AxisFault af) {
> ...
> } catch (Exception e) {
> ...
> } finally {
> ...
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
