Uploaded image for project: 'Axis2'
  1. Axis2
  2. AXIS2-5759

Upgrade HTTPCore and HTTPClient into latest versions

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • 1.7.0, 1.7.1
    • None
    • transports
    • None

    Description

      Axis2 1.7.0 and 1.7.1 ship with vulnerable versions of httpclient-4.2.1.jar and commons-httpclient-3.1.jar:

      CVE-2014-3577 (affected products include Apache HttpClient 4.2.1):
      https://exchange.xforce.ibmcloud.com/vulnerabilities/95327?cm_mc_uid=07675441652414567688362&cm_mc_sid_50200000=1460556797

      CVE-2012-6153 (affected products include Apache HttpClient 4.2.1 and Apache HttpClient 3.1):
      https://exchange.xforce.ibmcloud.com/vulnerabilities/95328?cm_mc_uid=07675441652414567688362&cm_mc_sid_50200000=1460556797

      Additional information on these vulnerabilities can be found at this link:
      http://archives.neohapsis.com/archives/bugtraq/2014-08/0089.html

      httpcore-4.2.1.jar and httpclient-4.2.1.jar should be upgraded to the newer GA versions available (https://hc.apache.org/downloads.cgi) and commons-httpclient-3.1.jar should be removed if possible.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. AXIS2-5757 Version of httpclient bundled in axis2-1.7.1 is exposed to to the vulnerability CVE-2012-6153, CVE-2014-3577

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              mceli Miriam Celi
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: