axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Avi Sanwal (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AXIS2-5822) Vulnerability notification for Apache httpclient (CVE-2015-5262) - Denial of Service Vulnerability
Date Fri, 25 Nov 2016 15:31:59 GMT

     [ https://issues.apache.org/jira/browse/AXIS2-5822?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Avi Sanwal updated AXIS2-5822:
------------------------------
    Description: 
Hi,

We are getting a vulnerability notification for Apache httpclient-

*CVE ID*:  CVE-2015-5262
*Vulnerability Name*: Apache HttpClient = 4.3.3 - Denial of Service Vulnerability - 4.3.4
*References*: https://issues.apache.org/jira/browse/HTTPCLIENT-1478


Currently, we are using Axis2 (*1.5.1*) which internally uses _commons-httpclient (3.1)_.
However, the latest stable version (as of now, *1.7.4*) still employs _commons-httpclient:3.1_
by default.
Since the reported vulnerability is present in the _commons-httpclient:3.1_ JAR, 
  - What is the mitigation plan of Axis2 for this vulnerability, when can it be expected in
a stable release?
  - What is the recommendation to avoid packing this JAR along with our application (client-app)?

Note:
    * If, necessary, we can move to a newer stable version (1.7.x). But currently, it does
not help us since _commons-httpclient:3.1_ still gets packed as a transient dependency.


{code:title=Client Code snippet, for reference|theme=FadeToGrey|language=java|collapse=true}
  RPCServiceClient serviceClient = null;
  String responseUrl = null;
  try {
	  // create the RPC client
	  serviceClient = new RPCServiceClient();
	  Options options = serviceClient.getOptions();

	  // HTTP Basic Authentication
	  HttpTransportProperties.Authenticator auth = new HttpTransportProperties.Authenticator();
	  auth.setUsername(wsUser);
	  auth.setPassword(wsPassword);
	  auth.setPreemptiveAuthentication(true);			
	  options.setProperty(HTTPConstants.AUTHENTICATE, auth);
	  String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+ "/TestService/services/TestService";
	  EndpointReference targetEPR = new EndpointReference(webServiceURL);

	  // Set the options
	  options.setTo(targetEPR);

	  // QName of the method to invoke
	  QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
			  SOAP_SERVICE_METHOD);

	  Object[] opGenerateUrlArguments = new Object[] { application,
		  soapAddress, applicationPort, protocol };

	  Class[] returnTypes = new Class[] { String.class };
	  
	  Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
			  opGenerateUrlArguments, returnTypes);
	  if (response.length > 0) {
		  responseData = (String) response[0];
	  }
  } catch (AxisFault af) {
	  ...
  } catch (Exception e) {
	  ...
  } finally {
	  ...
  }
{code}

  was:
Hi,

We are getting a vulnerability notification for Apache httpclient-

*CVE ID*:  CVE-2015-5262
*Vulnerability Name*: Apache HttpClient = 4.3.3 - Denial of Service Vulnerability - 4.3.4
*References*: https://issues.apache.org/jira/browse/HTTPCLIENT-1478


Currently, we are using Axis2 (*1.5.1*) which internally uses _commons-httpclient (3.1)_.
However, the latest stable version (as of now, *1.7.4*) still employs _commons-httpclient:3.1_
by default.
Since the reported vulnerability is present in the _commons-httpclient:3.1_ JAR, 
  - What is the mitigation plan of Axis 2 for this vulnerability, when can it be expected
in a stable release?
  - What is the recommendation to avoid packing this JAR along with our application (client-app)?

Note:
    * If, necessary, we can move to a newer stable version (1.7.x). But currently, it does
not help us since _commons-httpclient:3.1_ still gets packed as a transient dependency.


{code:title=Client Code snippet, for reference|theme=FadeToGrey|language=java|collapse=true}
  RPCServiceClient serviceClient = null;
  String responseUrl = null;
  try {
	  // create the RPC client
	  serviceClient = new RPCServiceClient();
	  Options options = serviceClient.getOptions();

	  // HTTP Basic Authentication
	  HttpTransportProperties.Authenticator auth = new HttpTransportProperties.Authenticator();
	  auth.setUsername(wsUser);
	  auth.setPassword(wsPassword);
	  auth.setPreemptiveAuthentication(true);			
	  options.setProperty(HTTPConstants.AUTHENTICATE, auth);
	  String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+ "/TestService/services/TestService";
	  EndpointReference targetEPR = new EndpointReference(webServiceURL);

	  // Set the options
	  options.setTo(targetEPR);

	  // QName of the method to invoke
	  QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
			  SOAP_SERVICE_METHOD);

	  Object[] opGenerateUrlArguments = new Object[] { application,
		  soapAddress, applicationPort, protocol };

	  Class[] returnTypes = new Class[] { String.class };
	  
	  Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
			  opGenerateUrlArguments, returnTypes);
	  if (response.length > 0) {
		  responseData = (String) response[0];
	  }
  } catch (AxisFault af) {
	  ...
  } catch (Exception e) {
	  ...
  } finally {
	  ...
  }
{code}


> Vulnerability notification for Apache httpclient (CVE-2015-5262) - Denial of Service
Vulnerability
> --------------------------------------------------------------------------------------------------
>
>                 Key: AXIS2-5822
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5822
>             Project: Axis2
>          Issue Type: Bug
>          Components: kernel, transports
>    Affects Versions: 1.5.1, 1.7.4
>            Reporter: Avi Sanwal
>              Labels: CVE, commons-httpclient, vulnerability
>
> Hi,
> We are getting a vulnerability notification for Apache httpclient-
> *CVE ID*:  CVE-2015-5262
> *Vulnerability Name*: Apache HttpClient = 4.3.3 - Denial of Service Vulnerability - 4.3.4
> *References*: https://issues.apache.org/jira/browse/HTTPCLIENT-1478
> Currently, we are using Axis2 (*1.5.1*) which internally uses _commons-httpclient (3.1)_.
However, the latest stable version (as of now, *1.7.4*) still employs _commons-httpclient:3.1_
by default.
> Since the reported vulnerability is present in the _commons-httpclient:3.1_ JAR, 
>   - What is the mitigation plan of Axis2 for this vulnerability, when can it be expected
in a stable release?
>   - What is the recommendation to avoid packing this JAR along with our application (client-app)?
> Note:
>     * If, necessary, we can move to a newer stable version (1.7.x). But currently, it
does not help us since _commons-httpclient:3.1_ still gets packed as a transient dependency.
> {code:title=Client Code snippet, for reference|theme=FadeToGrey|language=java|collapse=true}
>   RPCServiceClient serviceClient = null;
>   String responseUrl = null;
>   try {
> 	  // create the RPC client
> 	  serviceClient = new RPCServiceClient();
> 	  Options options = serviceClient.getOptions();
> 	  // HTTP Basic Authentication
> 	  HttpTransportProperties.Authenticator auth = new HttpTransportProperties.Authenticator();
> 	  auth.setUsername(wsUser);
> 	  auth.setPassword(wsPassword);
> 	  auth.setPreemptiveAuthentication(true);			
> 	  options.setProperty(HTTPConstants.AUTHENTICATE, auth);
> 	  String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+ "/TestService/services/TestService";
> 	  EndpointReference targetEPR = new EndpointReference(webServiceURL);
> 	  // Set the options
> 	  options.setTo(targetEPR);
> 	  // QName of the method to invoke
> 	  QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
> 			  SOAP_SERVICE_METHOD);
> 	  Object[] opGenerateUrlArguments = new Object[] { application,
> 		  soapAddress, applicationPort, protocol };
> 	  Class[] returnTypes = new Class[] { String.class };
> 	  
> 	  Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
> 			  opGenerateUrlArguments, returnTypes);
> 	  if (response.length > 0) {
> 		  responseData = (String) response[0];
> 	  }
>   } catch (AxisFault af) {
> 	  ...
>   } catch (Exception e) {
> 	  ...
>   } finally {
> 	  ...
>   }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message