See AXIS2-6018, for users of Axis2 1.8.0 there is no issue.
For users of 1.7.x who have upgraded to Apache HTTPClient 4.x as described
in AXIS2-5959 and are using a recent version of Apache HTTPClient
unaffected by CVE-2014-3577 from 2014 there is no issue.
All users are always encouraged to upgrade their Apache HTTPClient jars to
the latest version. Apache httpclient has had no releases since Axis2 1.8.0
was released however Apache httpcore has had a recent release. Jar updates
can be done by these pom.xml updates:
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5.13</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpcore</artifactId>
<version>4.4.15</version>
</dependency>
Users can always build from source to get the latest jars:
git clone https://github.com/apache/axis-axis2-java-core.git
Regards,
Robert
