Uploaded image for project: 'Axis2'
  1. Axis2
  2. AXIS2-5822

Vulnerability notification for Apache httpclient (CVE-2015-5262) - Denial of Service Vulnerability

    XMLWordPrintableJSON

Details

    Description

      Hi,

      We are getting a vulnerability notification for commons-httpclient-

      CVE ID: CVE-2015-5262
      References: https://issues.apache.org/jira/browse/HTTPCLIENT-1478

      Currently, we are using Axis2 (1.5.1) which internally uses commons-httpclient (3.1). However, the latest stable version (as of now, 1.7.4) still employs commons-httpclient:3.1 by default.
      Since the reported vulnerability is present in the commons-httpclient:3.1 JAR,

      • What is the mitigation plan of Axis2 for this vulnerability, when can it be expected in a stable release?
      • What is the recommendation to avoid packing this JAR along with our application (client-app)?

      Note:

      • If, necessary, we can move to a newer stable version (1.7.x). But currently, it does not help us since commons-httpclient:3.1 still gets packed as a transient dependency.
      Client Code snippet, for reference
        RPCServiceClient serviceClient = null;
  String responseUrl = null;
  try {
	  // create the RPC client
	  serviceClient = new RPCServiceClient();
	  Options options = serviceClient.getOptions();

	  // HTTP Basic Authentication
	  HttpTransportProperties.Authenticator auth = new HttpTransportProperties.Authenticator();
	  auth.setUsername(wsUser);
	  auth.setPassword(wsPassword);
	  auth.setPreemptiveAuthentication(true);			
	  options.setProperty(HTTPConstants.AUTHENTICATE, auth);
	  String webServiceURL = protocol + "://"+ soapAddress + ":" + soapPort+ "/TestService/services/TestService";
	  EndpointReference targetEPR = new EndpointReference(webServiceURL);

	  // Set the options
	  options.setTo(targetEPR);

	  // QName of the method to invoke
	  QName opGenerateUrl = new QName(SOAP_SERVICE_NAMESPACE,
			  SOAP_SERVICE_METHOD);

	  Object[] opGenerateUrlArguments = new Object[] { application,
		  soapAddress, applicationPort, protocol };

	  Class[] returnTypes = new Class[] { String.class };
	  
	  Object[] response = serviceClient.invokeBlocking(opGenerateUrl,
			  opGenerateUrlArguments, returnTypes);
	  if (response.length > 0) {
		  responseData = (String) response[0];
	  }
  } catch (AxisFault af) {
	  ...
  } catch (Exception e) {
	  ...
  } finally {
	  ...
  }

      Attachments

        Activity

          People

            Unassigned Unassigned
            avi.sanwal Avi Sanwal
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: