[jira] [Resolved] (AXIS2-5822) Vulnerability notification for Apache httpclient (CVE-2015-5262) - Denial of Service Vulnerability

Mon, 19 Dec 2016 07:20:30 -0800 

     [ 
https://issues.apache.org/jira/browse/AXIS2-5822?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andreas Veithen resolved AXIS2-5822.
------------------------------------
    Resolution: Invalid

This is a bug tracker. General questions like this should be discussed on the 
mailing list.

> Vulnerability notification for Apache httpclient (CVE-2015-5262) - Denial of 
> Service Vulnerability
> --------------------------------------------------------------------------------------------------
>
>                 Key: AXIS2-5822
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5822
>             Project: Axis2
>          Issue Type: Bug
>          Components: kernel, transports
>    Affects Versions: 1.5.1, 1.7.4
>            Reporter: Avi Sanwal
>              Labels: CVE, commons-httpclient, vulnerability
>
> Hi,
> We are getting a vulnerability notification for commons-httpclient-
> *CVE ID*:  CVE-2015-5262
> *References*: https://issues.apache.org/jira/browse/HTTPCLIENT-1478
> Currently, we are using Axis2 (*1.5.1*) which internally uses 
> _commons-httpclient (3.1)_. However, the latest stable version (as of now, 
> *1.7.4*) still employs _commons-httpclient:3.1_ by default.
> Since the reported vulnerability is present in the _commons-httpclient:3.1_ 
> JAR, 
>   - What is the mitigation plan of Axis2 for this vulnerability, when can it 
> be expected in a stable release?
>   - What is the recommendation to avoid packing this JAR along with our 
> application (client-app)?
> Note:
>     * If, necessary, we can move to a newer stable version (1.7.x). But 
> currently, it does not help us since _commons-httpclient:3.1_ still gets 
> packed as a transient dependency.
> {code:title=Client Code snippet, for 
> reference|theme=FadeToGrey|language=java|collapse=true}
>   RPCServiceClient serviceClient = null;
>   String responseUrl = null;
>   try {
>         // create the RPC client
>         serviceClient = new RPCServiceClient();
>         Options options = serviceClient.getOptions();
>         // HTTP Basic Authentication
>         HttpTransportProperties.Authenticator auth = new 
> HttpTransportProperties.Authenticator();
>         auth.setUsername(wsUser);
>         auth.setPassword(wsPassword);
>         auth.setPreemptiveAuthentication(true);                       
>         options.setProperty(HTTPConstants.AUTHENTICATE, auth);
>         String webServiceURL = protocol + "://"+ soapAddress + ":" + 
> soapPort+ "/TestService/services/TestService";
>         EndpointReference targetEPR = new EndpointReference(webServiceURL);
>         // Set the options
>         options.setTo(targetEPR);
>         // QName of the method to invoke
>         QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
>                         SOAP_SERVICE_METHOD);
>         Object[] opGenerateUrlArguments = new Object[] { application,
>                 soapAddress, applicationPort, protocol };
>         Class[] returnTypes = new Class[] { String.class };
>         
>         Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
>                         opGenerateUrlArguments, returnTypes);
>         if (response.length > 0) {
>                 responseData = (String) response[0];
>         }
>   } catch (AxisFault af) {
>         ...
>   } catch (Exception e) {
>         ...
>   } finally {
>         ...
>   }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to