[Axis2] Vulnerability notification for Apache httpclient (CVE-2015-5262) - Denial of Service Vulnerability

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Axis2] Vulnerability notification for Apache httpclient (CVE-2015-5262) - Denial of Service Vulnerability

Avi Sanwal

Hi,

We are getting a vulnerability notification for commons-httpclient

CVE ID: CVE-2015-5262
References: https://issues.apache.org/jira/browse/HTTPCLIENT-1478

Currently, we are using Axis2 (1.5.1) which internally uses commons-httpclient (3.1). However, the latest stable version (as of now, 1.7.4) still employs commons-httpclient:3.1 by default.
Since the reported vulnerability is present in the commons-httpclient:3.1 JAR,

  • What is the mitigation plan of Axis2 for this vulnerability, when can it be expected in a stable release?
  • What is the recommendation to avoid packing this JAR along with our application (client-app)?

Note:

  • If, necessary, we can move to a newer stable version (1.7.x). But currently, it does not help us since commons-httpclient:3.1 still gets packed as a transient dependency.


Client Code snippet, for reference
  RPCServiceClient serviceClient = null;
  String responseUrl = null;
  try {
	  // create the RPC client
	  serviceClient = new RPCServiceClient();
	  Options options = serviceClient.getOptions();

	  // HTTP Basic Authentication
	  HttpTransportProperties.Authenticator auth = new HttpTransportProperties.Authenticator();
	  auth.setUsername(wsUser);
	  auth.setPassword(wsPassword);
	  auth.setPreemptiveAuthentication(true);			
	  options.setProperty(HTTPConstants.AUTHENTICATE, auth);
	  String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+ "/TestService/services/TestService";
	  EndpointReference targetEPR = new EndpointReference(webServiceURL);

	  // Set the options
	  options.setTo(targetEPR);

	  // QName of the method to invoke
	  QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
			  SOAP_SERVICE_METHOD);

	  Object[] opGenerateUrlArguments = new Object[] { application,
		  soapAddress, applicationPort, protocol };

	  Class[] returnTypes = new Class[] { String.class };
	  
	  Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
			  opGenerateUrlArguments, returnTypes);
	  if (response.length > 0) {
		  responseData = (String) response[0];
	  }
  } catch (AxisFault af) {
	  ...
  } catch (Exception e) {
	  ...
  } finally {
	  ...
  }

Thanking You
Yours Sincerely
Avi Sanwal

PS: I also created a JIRA earlier (before I read the FAQs) - https://issues.apache.org/jira/browse/AXIS2-5822
PPS: I am unable to access the mailing archives to see if this concern has been already addressed.
Reply | Threaded
Open this post in threaded view
|

Re: [Axis2] Vulnerability notification for Apache httpclient (CVE-2015-5262) - Denial of Service Vulnerability

Andreas Veithen-2
You need to switch to the HttpClient 4.x based HTTP transport as
explained in the Axis2 1.7.0 release notes [1]. This means that you
need to create a customized axis2.xml config file, instantiate a
ConfigurationContext from that file and pass it to the
RPCServiceClient (instead of letting RPCServiceClient create a default
ConfigurationContext for you).

Andreas

[1] http://axis.apache.org/axis2/java/core/release-notes/1.7.0.html

On Mon, Nov 28, 2016 at 11:31 AM, Avi Sanwal <[hidden email]> wrote:

> Hi,
>
> We are getting a vulnerability notification for commons-httpclient
>
> CVE ID: CVE-2015-5262
> References: https://issues.apache.org/jira/browse/HTTPCLIENT-1478
>
> Currently, we are using Axis2 (1.5.1) which internally uses
> commons-httpclient (3.1). However, the latest stable version (as of now,
> 1.7.4) still employs commons-httpclient:3.1 by default.
> Since the reported vulnerability is present in the commons-httpclient:3.1
> JAR,
>
> What is the mitigation plan of Axis2 for this vulnerability, when can it be
> expected in a stable release?
> What is the recommendation to avoid packing this JAR along with our
> application (client-app)?
>
> Note:
>
> If, necessary, we can move to a newer stable version (1.7.x). But currently,
> it does not help us since commons-httpclient:3.1 still gets packed as a
> transient dependency.
>
>
>
> Client Code snippet, for reference
>
>   RPCServiceClient serviceClient = null;
>   String responseUrl = null;
>   try {
>  // create the RPC client
>  serviceClient = new RPCServiceClient();
>  Options options = serviceClient.getOptions();
>
>  // HTTP Basic Authentication
>  HttpTransportProperties.Authenticator auth = new
> HttpTransportProperties.Authenticator();
>  auth.setUsername(wsUser);
>  auth.setPassword(wsPassword);
>  auth.setPreemptiveAuthentication(true);
>  options.setProperty(HTTPConstants.AUTHENTICATE, auth);
>  String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+
> "/TestService/services/TestService";
>  EndpointReference targetEPR = new EndpointReference(webServiceURL);
>
>  // Set the options
>  options.setTo(targetEPR);
>
>  // QName of the method to invoke
>  QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
>  SOAP_SERVICE_METHOD);
>
>  Object[] opGenerateUrlArguments = new Object[] { application,
>  soapAddress, applicationPort, protocol };
>
>  Class[] returnTypes = new Class[] { String.class };
>
>  Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
>  opGenerateUrlArguments, returnTypes);
>  if (response.length > 0) {
>  responseData = (String) response[0];
>  }
>   } catch (AxisFault af) {
>  ...
>   } catch (Exception e) {
>  ...
>   } finally {
>  ...
>   }
>
>
> Thanking You
> Yours Sincerely
> Avi Sanwal
>
> PS: I also created a JIRA earlier (before I read the FAQs) -
> https://issues.apache.org/jira/browse/AXIS2-5822
> PPS: I am unable to access the mailing archives to see if this concern has
> been already addressed.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [Axis2] Vulnerability notification for Apache httpclient(CVE-2015-5262) - Denial of Service Vulnerability

Avi Sanwal

Hi Andreas,

 

Thanks for the response. We have already followed the instructions in AXIS2 documentations to migrate to 1.7.4. We tried with a customized RPCServiceClient, and it picks the new HTTPClient version. However, we fear that the below mentioned vulnerability would still be reported as Maven transiently still packs the old version of HTTPClient (3.1). So we have added an <excludes> clause in our dependency.

 

This will work for now, however, it looks like a workaround-ish fix. We hope that AXIS2 would provide a ‘default’ fix (without having users to rely on the <excludes>) in a near future release (or a fork for backward compatibility?).

 

Eagerly awaiting your response,

Avi Sanwal

 

From: [hidden email]
Sent: Monday, December 19, 2016 8:48 PM
To: [hidden email]
Subject: Re: [Axis2] Vulnerability notification for Apache httpclient(CVE-2015-5262) - Denial of Service Vulnerability

 

You need to switch to the HttpClient 4.x based HTTP transport as

explained in the Axis2 1.7.0 release notes [1]. This means that you

need to create a customized axis2.xml config file, instantiate a

ConfigurationContext from that file and pass it to the

RPCServiceClient (instead of letting RPCServiceClient create a default

ConfigurationContext for you).

 

Andreas

 

[1] http://axis.apache.org/axis2/java/core/release-notes/1.7.0.html

 

On Mon, Nov 28, 2016 at 11:31 AM, Avi Sanwal <[hidden email]> wrote:

> Hi,

> 

> We are getting a vulnerability notification for commons-httpclient

> 

> CVE ID: CVE-2015-5262

> References: https://issues.apache.org/jira/browse/HTTPCLIENT-1478

> 

> Currently, we are using Axis2 (1.5.1) which internally uses

> commons-httpclient (3.1). However, the latest stable version (as of now,

> 1.7.4) still employs commons-httpclient:3.1 by default.

> Since the reported vulnerability is present in the commons-httpclient:3.1

> JAR,

> 

> What is the mitigation plan of Axis2 for this vulnerability, when can it be

> expected in a stable release?

> What is the recommendation to avoid packing this JAR along with our

> application (client-app)?

> 

> Note:

> 

> If, necessary, we can move to a newer stable version (1.7.x). But currently,

> it does not help us since commons-httpclient:3.1 still gets packed as a

> transient dependency.

> 

> 

> 

> Client Code snippet, for reference

> 

>   RPCServiceClient serviceClient = null;

>   String responseUrl = null;

>   try {

>  // create the RPC client

>  serviceClient = new RPCServiceClient();

>  Options options = serviceClient.getOptions();

> 

>  // HTTP Basic Authentication

>  HttpTransportProperties.Authenticator auth = new

> HttpTransportProperties.Authenticator();

>  auth.setUsername(wsUser);

>  auth.setPassword(wsPassword);

>  auth.setPreemptiveAuthentication(true);

>  options.setProperty(HTTPConstants.AUTHENTICATE, auth);

>  String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+

> "/TestService/services/TestService";

>  EndpointReference targetEPR = new EndpointReference(webServiceURL);

> 

>  // Set the options

>  options.setTo(targetEPR);

> 

>  // QName of the method to invoke

>  QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,

>  SOAP_SERVICE_METHOD);

> 

>  Object[] opGenerateUrlArguments = new Object[] { application,

>  soapAddress, applicationPort, protocol };

> 

>  Class[] returnTypes = new Class[] { String.class };

> 

>  Object[] response = serviceClient.invokeBlocking(opGenerateUrl,

>  opGenerateUrlArguments, returnTypes);

>  if (response.length > 0) {

>  responseData = (String) response[0];

>  }

>   } catch (AxisFault af) {

>  ...

>   } catch (Exception e) {

>  ...

>   } finally {

>  ...

>   }

> 

> 

> Thanking You

> Yours Sincerely

> Avi Sanwal

> 

> PS: I also created a JIRA earlier (before I read the FAQs) -

> https://issues.apache.org/jira/browse/AXIS2-5822

> PPS: I am unable to access the mailing archives to see if this concern has

> been already addressed.

 

---------------------------------------------------------------------

To unsubscribe, e-mail: [hidden email]

For additional commands, e-mail: [hidden email]

 

 

Reply | Threaded
Open this post in threaded view
|

Re: [Axis2] Vulnerability notification for Apache httpclient(CVE-2015-5262) - Denial of Service Vulnerability

Andreas Veithen-2
On Mon, Dec 19, 2016 at 3:35 PM,  <[hidden email]> wrote:

> Hi Andreas,
>
>
>
> Thanks for the response. We have already followed the instructions in AXIS2
> documentations to migrate to 1.7.4. We tried with a customized
> RPCServiceClient, and it picks the new HTTPClient version. However, we fear
> that the below mentioned vulnerability would still be reported as Maven
> transiently still packs the old version of HTTPClient (3.1). So we have
> added an <excludes> clause in our dependency.
>
>
>
> This will work for now, however, it looks like a workaround-ish fix. We hope
> that AXIS2 would provide a ‘default’ fix (without having users to rely on
> the <excludes>) in a near future release (or a fork for backward
> compatibility?).

In Axis2 1.8, HttpClient 4.x will be the default, and the two
implementations of the HTTP transport will be available as two
distinct Maven artifacts, effectively fixing the transitive dependency
problem.

>
>
>
> Eagerly awaiting your response,
>
> Avi Sanwal
>
>
>
> From: Andreas Veithen
> Sent: Monday, December 19, 2016 8:48 PM
> To: java-dev
> Subject: Re: [Axis2] Vulnerability notification for Apache
> httpclient(CVE-2015-5262) - Denial of Service Vulnerability
>
>
>
> You need to switch to the HttpClient 4.x based HTTP transport as
>
> explained in the Axis2 1.7.0 release notes [1]. This means that you
>
> need to create a customized axis2.xml config file, instantiate a
>
> ConfigurationContext from that file and pass it to the
>
> RPCServiceClient (instead of letting RPCServiceClient create a default
>
> ConfigurationContext for you).
>
>
>
> Andreas
>
>
>
> [1] http://axis.apache.org/axis2/java/core/release-notes/1.7.0.html
>
>
>
> On Mon, Nov 28, 2016 at 11:31 AM, Avi Sanwal <[hidden email]> wrote:
>
>> Hi,
>
>>
>
>> We are getting a vulnerability notification for commons-httpclient
>
>>
>
>> CVE ID: CVE-2015-5262
>
>> References: https://issues.apache.org/jira/browse/HTTPCLIENT-1478
>
>>
>
>> Currently, we are using Axis2 (1.5.1) which internally uses
>
>> commons-httpclient (3.1). However, the latest stable version (as of now,
>
>> 1.7.4) still employs commons-httpclient:3.1 by default.
>
>> Since the reported vulnerability is present in the commons-httpclient:3.1
>
>> JAR,
>
>>
>
>> What is the mitigation plan of Axis2 for this vulnerability, when can it
>> be
>
>> expected in a stable release?
>
>> What is the recommendation to avoid packing this JAR along with our
>
>> application (client-app)?
>
>>
>
>> Note:
>
>>
>
>> If, necessary, we can move to a newer stable version (1.7.x). But
>> currently,
>
>> it does not help us since commons-httpclient:3.1 still gets packed as a
>
>> transient dependency.
>
>>
>
>>
>
>>
>
>> Client Code snippet, for reference
>
>>
>
>>   RPCServiceClient serviceClient = null;
>
>>   String responseUrl = null;
>
>>   try {
>
>>  // create the RPC client
>
>>  serviceClient = new RPCServiceClient();
>
>>  Options options = serviceClient.getOptions();
>
>>
>
>>  // HTTP Basic Authentication
>
>>  HttpTransportProperties.Authenticator auth = new
>
>> HttpTransportProperties.Authenticator();
>
>>  auth.setUsername(wsUser);
>
>>  auth.setPassword(wsPassword);
>
>>  auth.setPreemptiveAuthentication(true);
>
>>  options.setProperty(HTTPConstants.AUTHENTICATE, auth);
>
>>  String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+
>
>> "/TestService/services/TestService";
>
>>  EndpointReference targetEPR = new EndpointReference(webServiceURL);
>
>>
>
>>  // Set the options
>
>>  options.setTo(targetEPR);
>
>>
>
>>  // QName of the method to invoke
>
>>  QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
>
>>  SOAP_SERVICE_METHOD);
>
>>
>
>>  Object[] opGenerateUrlArguments = new Object[] { application,
>
>>  soapAddress, applicationPort, protocol };
>
>>
>
>>  Class[] returnTypes = new Class[] { String.class };
>
>>
>
>>  Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
>
>>  opGenerateUrlArguments, returnTypes);
>
>>  if (response.length > 0) {
>
>>  responseData = (String) response[0];
>
>>  }
>
>>   } catch (AxisFault af) {
>
>>  ...
>
>>   } catch (Exception e) {
>
>>  ...
>
>>   } finally {
>
>>  ...
>
>>   }
>
>>
>
>>
>
>> Thanking You
>
>> Yours Sincerely
>
>> Avi Sanwal
>
>>
>
>> PS: I also created a JIRA earlier (before I read the FAQs) -
>
>> https://issues.apache.org/jira/browse/AXIS2-5822
>
>> PPS: I am unable to access the mailing archives to see if this concern has
>
>> been already addressed.
>
>
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: [hidden email]
>
> For additional commands, e-mail: [hidden email]
>
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]