[
https://issues.apache.org/jira/browse/AXIS2-5822?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15761508#comment-15761508
]
Avi Sanwal commented on AXIS2-5822:
-----------------------------------
[~veithen], I would like to argue that this is indeed a bug, albeit due to an
external dependency, and needs attention.
I am not re-opening the JIRA, however.
For others reference, this can be worked around by modifying axis2.xml
configuration and having RPCServiceClient use it. You may need to exclude the
transient dependency on older version of HTTPClient (eg, for maven this can be
done with <excludes> tag in pom.xml). See [release notes of
1.7.0|http://axis.apache.org/axis2/java/core/release-notes/1.7.0.html] for more
details.
> Vulnerability notification for Apache httpclient (CVE-2015-5262) - Denial of
> Service Vulnerability
> --------------------------------------------------------------------------------------------------
>
> Key: AXIS2-5822
> URL: https://issues.apache.org/jira/browse/AXIS2-5822
> Project: Axis2
> Issue Type: Bug
> Components: kernel, transports
> Affects Versions: 1.5.1, 1.7.4
> Reporter: Avi Sanwal
> Labels: CVE, commons-httpclient, vulnerability
>
> Hi,
> We are getting a vulnerability notification for commons-httpclient-
> *CVE ID*: CVE-2015-5262
> *References*: https://issues.apache.org/jira/browse/HTTPCLIENT-1478
> Currently, we are using Axis2 (*1.5.1*) which internally uses
> _commons-httpclient (3.1)_. However, the latest stable version (as of now,
> *1.7.4*) still employs _commons-httpclient:3.1_ by default.
> Since the reported vulnerability is present in the _commons-httpclient:3.1_
> JAR,
> - What is the mitigation plan of Axis2 for this vulnerability, when can it
> be expected in a stable release?
> - What is the recommendation to avoid packing this JAR along with our
> application (client-app)?
> Note:
> * If, necessary, we can move to a newer stable version (1.7.x). But
> currently, it does not help us since _commons-httpclient:3.1_ still gets
> packed as a transient dependency.
> {code:title=Client Code snippet, for
> reference|theme=FadeToGrey|language=java|collapse=true}
> RPCServiceClient serviceClient = null;
> String responseUrl = null;
> try {
> // create the RPC client
> serviceClient = new RPCServiceClient();
> Options options = serviceClient.getOptions();
> // HTTP Basic Authentication
> HttpTransportProperties.Authenticator auth = new
> HttpTransportProperties.Authenticator();
> auth.setUsername(wsUser);
> auth.setPassword(wsPassword);
> auth.setPreemptiveAuthentication(true);
> options.setProperty(HTTPConstants.AUTHENTICATE, auth);
> String webServiceURL = protocol + "://"+ soapAddress + ":" +
> soapPort+ "/TestService/services/TestService";
> EndpointReference targetEPR = new EndpointReference(webServiceURL);
> // Set the options
> options.setTo(targetEPR);
> // QName of the method to invoke
> QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
> SOAP_SERVICE_METHOD);
> Object[] opGenerateUrlArguments = new Object[] { application,
> soapAddress, applicationPort, protocol };
> Class[] returnTypes = new Class[] { String.class };
>
> Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
> opGenerateUrlArguments, returnTypes);
> if (response.length > 0) {
> responseData = (String) response[0];
> }
> } catch (AxisFault af) {
> ...
> } catch (Exception e) {
> ...
> } finally {
> ...
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
