Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Implemented
-
None
-
None
-
None
Description
This issue is to track an issue already fixed in Axis2 1.8.0; CVE-2012-5785 is not relevant because it discusses very old versions of Apache HTTPClient from around 2012.
https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
From Axis2 1.8.0 on, we removed support for Apache HTTPClient 3.x completely.
In the 1.7.x release series, removing Apache HTTPClient 3.x and running only 4.x is possible as explained in AXIS2-5959 but anyways users should still upgrade to Axis2 1.8.0.
For Apache HTTPClient 4.x, the link above from 2012 describes problems fixed many years ago. See CVE-2014-3577.
All users of Axis2 are encouraged to always run the latest Apache httpcore and httpclient libs.
The Axis2 1.8.0 release the past August 2021 included Apache httpclient version 4.5.13 in our pom.xml and there have been no releases of Apache httpclient since.
Since Axis2 1.8.0, there was a release of Apache httpcore 4.4.15. Users are encouraged to update their pom.xml to the latest version. The pom.xml in the Axis2 master branch is up to date.