axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thamarai (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AXIS2-5757) Version of httpclient bundled in axis2-1.7.1 is exposed to to the vulnerability CVE-2012-6153, CVE-2014-3577
Date Wed, 25 May 2016 07:36:12 GMT

    [ https://issues.apache.org/jira/browse/AXIS2-5757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15299616#comment-15299616
] 

Thamarai commented on AXIS2-5757:
---------------------------------

Hi All,

We are in the process of upgrading the axis2 to ver 1.7.1.

The release notes of Axis2 1.7.0 says that "Axis2 1.7.0 supports Apache HttpClient 4.x in
addition to the no longer maintained Commons HttpClient 3.x"

So we upgraded the http client to HttpClient 4.4.1. But  axis2-transport-http-1.7.1 still
has some reference with commons-httpclient-3.13.1.

1) First we removed commons-httpclient-3.1 and tested. we got the erorr as org.apache.commons.httpclient.HttpClient.HTTPMethod
is not found.

2) So we added commons-httpclient-3.1 (in addition to 4.4.1 http client) and tested and the
error thorwn as below.

org.apache.http.impl.client.InternalHttpClient incompatible with org.apache.commons.httpclient.HttpClient
org.apache.axis2.transport.http.impl.httpclient3.HTTPSenderImpl.getHttpClient(HTTPSenderImpl.java:813)
org.apache.axis2.transport.http.impl.httpclient3.HTTPSenderImpl.sendViaPost(HTTPSenderImpl.java:176)
org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:121)
org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:403)
org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:234)
org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:431)
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:399)
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
org.apache.axis2.client.OperationClient.execute(OperationClient.java:150)
ws.sq.com.sg.common.helper.MWServiceHelper.doSoapCallWithAttachment(MWServiceHelper.java:176)
ws.sq.com.sg.common.helper.ERetailHelper.callERetail(ERetailHelper.java:115)
ws.sq.com.sg.res.ecommerce.common.ERetailComponentImpl.callERetail(ERetailComponentImpl.java:114)
ws.sq.com.sg.res.ecommerce.air.AirServiceImpl.callERetail(AirServiceImpl.java:90)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
java.lang.reflect.Method.invoke(Method.java:613)
com.tibco.amf.platform.runtime.componentframework.internal.proxies.operation.OperationHandler.invokeMethodWithThreadContext(OperationHandler.java:486)
com.tibco.amf.platform.runtime.componentframework.internal.proxies.operation.MultiThreadedASyncToSyncOperationHandler$ASyncToSyncInvocationHandler.run(MultiThreadedASyncToSyncOperationHandler.java:203)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1121)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:614)
java.lang.Thread.run(Thread.java:779)</es:ErrorStackTrace>  

Either way adding commons-httpclient-3.1 or removing commons-httpclient-3.1 is giving us the
issue since axis2-transport-http-1.7.1 has reference to commons-httpclient-3.1.

Could you give us the upgrade steps if we missed anything or any fix to resolve this?


> Version of httpclient bundled in axis2-1.7.1 is exposed to  to the vulnerability CVE-2012-6153,
CVE-2014-3577
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: AXIS2-5757
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5757
>             Project: Axis2
>          Issue Type: Bug
>          Components: transports
>    Affects Versions: 1.4, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1
>         Environment: Axis2 used as a Web Service Provider for an application
>            Reporter: Deepak
>              Labels: httpclient
>             Fix For: 1.7.2
>
>
> Version of httpclient bundled in axis2-1.7.1 is exposed to  to the vulnerability CVE-2012-6153,
CVE-2014-3577
> Hi
> The version of httpclient (httpclient-4.2.1.jar) bundled with axis2-1.7.1  is susceptible
to CVE-2012-6153, CVE-2014-3577 
> The Vulnerability says that the class "http/conn/ssl/AbstractVerifier.java in Apache
Commons HttpClient before 4.2.3" is vulnerability. (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153)
> What plans we have for Axis2 to address this Vulnerability. Will it be fixed in the upcoming
1.7.2 or 1.8 release or any other release. If yes, when would that be. Reason for this query
is our application uses Axis2 and and hence exposed to this vulnerability. 
> Thanks,
> Regds,
> Deepak



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message