Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Trunk
    • Fix Version/s: 14.12.01, 13.07.03, 16.11.01
    • Component/s: framework
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      With OFBIZ-5801 I recently upgraded Axis2 to 1.6.3. But it still uses commons-httpclient-3.1 which is not only deprecated but also faces a number of vulnerabilties:

      https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262
      https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577
      https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153

      This will also help to resolve OFBIZ-6755 (passport component)

        Issue Links

          Activity

          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          I tried in trunk at revision: 1732631 but it failed: needs more work... Reverted at 1732637

          Show
          jacques.le.roux Jacques Le Roux added a comment - I tried in trunk at revision: 1732631 but it failed: needs more work... Reverted at 1732637
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Commited in
          trunk r1733956
          R15.12 r1733957
          R14.12 r1733958+r1733959
          R13.07 r1733991

          Note: there is a newer Axis2 1.7.1 version https://axis.apache.org/axis2/java/core/release-notes/1.7.1.html. OOTB we don't use ADB but better to get the last version anyway. I will change the issue title.

          Replacing Axis2 1.6.3 by 1.7.1 version is easy as long as you don't try to replace the commons-httpclient-3.1 lib. The only noticeable change is this warning shown in log

          http-bio-8443-exec-1 AxisConfigBuilder W Unable to instantiate deployer org.apache.axis2.deployment.ServiceDeployer; see debug logs for more details

          It has no effects on the SOAP test services, both works.

          But the main goal of this issue is a security update because commons-httpclient-3.1 lib is deprecated, no longer maintained and vulnerable and must be replaced.

          This commit also concerns OFBIZ-6755 but to not mix things OFBIZ-6755 will be completed later. So to not block this issue, the commons-httpclient-3.1 lib is moved from framework/service/lib to specialpurpose/passport/lib/ where it's still required.

          Normally, as explained at https://axis.apache.org/axis2/java/core/release-notes/1.7.0.html, Axis2 1.7.1 requires "HttpClient 4.2.x and should work with 4.3.x and 4.4.x, but is incompatible with 4.5.x". I did not replace commons-httpclient-3.1 by HttpClient 4.2.1, which is bundled with Axis2 1.7.1, because we have already HttpClient/Core 4.4.1 in base/lib and it works well as is (HttpClient/Core 4.4.1 is in the classpath).

          To use HttpClient/Core 4.4.1 you need to change the axis2.xml files as specified in the 1.7.0 release note. But where to place this file in OFBiz is not obvious!

          I decided the best way was to use Axis2 ConfigurationContextFactory.createConfigurationContextFromFileSystem() method to let know Axis2 we want the new httpclient instead of the default one (I really don't understand why the Axis2 team still prefers commons-httpclient-3.1 as default). I had to pass both locations to avoid hardcoding the repository location in the axis2.xml file.

          I have also decided the best place for the "Axis2 repository" (as they call it) was in framework/service/axis2. So following Axis2 convention http://wso2.com/library/tutorials/axis2-repository/ I put the axis2.xml file in framework/service/axis2/conf.
          Note: the Axis2 repository could be used to put Apache Rampart as a module to secure web services...

          After this change, there are a number of warnings thrown by Axis2 but they are actually interesting as they provide guidance for future use of modules and such (notably Apache Rampart)

          ttp-bio-8443-exec-10 Utils W [JAXWS] - unable to load org.apache.axis2.jaxws.dispatchers.GenericProviderDispatcher
          ttp-bio-8443-exec-10 Utils W [JAXWS] - unable to load org.apache.axis2.jaxws.dispatchers.MustUnderstandValidationDispatcher
          ttp-bio-8443-exec-10 Utils W [JAXWS] - unable to load org.apache.axis2.jaxws.dispatchers.MustUnderstandChecker
          ttp-bio-8443-exec-10 Utils W [JAXWS] - unable to load org.apache.axis2.jaxws.dispatchers.GenericProviderDispatcher
          ttp-bio-8443-exec-10 Utils W [JAXWS] - unable to load org.apache.axis2.jaxws.dispatchers.MustUnderstandValidationDispatcher
          ttp-bio-8443-exec-10 AxisConfigBuilder W Unable to instantiate deployer org.apache.axis2.deployment.ServiceDeployer; see debug logs for more details
          ttp-bio-8443-exec-10 AxisConfigBuilder W Unable to instantiate deployer org.apache.axis2.jaxws.framework.JAXWSDeployer; see debug logs for more details

          While at it I replaced StAXOMBuilder (deprecated) by OMXMLBuilderFactory

          I will backport the changes in the supporterd releases branches but R12.04. Others all use HttpClient/Core version older than 4.2.1. I'm aware I will have to handle several conflicts by hand, some are easy others "harder". We have the passport component only in R15.12, it will be easy to neglect in older releases. I expect more work with the LICENSE file and even more with the .classpath file. Since R15.12 we use tabs in it (Adrian rightly told us to use Eclipse internal tools to edit this file, though I noted it does not respect the alphabetical order) but older releases still use spaces (and this is often a pain now, but a bright future ahead )

          Crossing fingers with this commit, I have other changes pending in this instance (notably for OFBIZ-6849) and it got quite complicated.

          Show
          jacques.le.roux Jacques Le Roux added a comment - Commited in trunk r1733956 R15.12 r1733957 R14.12 r1733958+r1733959 R13.07 r1733991 Note: there is a newer Axis2 1.7.1 version https://axis.apache.org/axis2/java/core/release-notes/1.7.1.html . OOTB we don't use ADB but better to get the last version anyway. I will change the issue title. Replacing Axis2 1.6.3 by 1.7.1 version is easy as long as you don't try to replace the commons-httpclient-3.1 lib. The only noticeable change is this warning shown in log http-bio-8443-exec-1 AxisConfigBuilder W Unable to instantiate deployer org.apache.axis2.deployment.ServiceDeployer; see debug logs for more details It has no effects on the SOAP test services, both works. But the main goal of this issue is a security update because commons-httpclient-3.1 lib is deprecated, no longer maintained and vulnerable and must be replaced. This commit also concerns OFBIZ-6755 but to not mix things OFBIZ-6755 will be completed later. So to not block this issue, the commons-httpclient-3.1 lib is moved from framework/service/lib to specialpurpose/passport/lib/ where it's still required. Normally, as explained at https://axis.apache.org/axis2/java/core/release-notes/1.7.0.html , Axis2 1.7.1 requires "HttpClient 4.2.x and should work with 4.3.x and 4.4.x, but is incompatible with 4.5.x". I did not replace commons-httpclient-3.1 by HttpClient 4.2.1, which is bundled with Axis2 1.7.1, because we have already HttpClient/Core 4.4.1 in base/lib and it works well as is (HttpClient/Core 4.4.1 is in the classpath). To use HttpClient/Core 4.4.1 you need to change the axis2.xml files as specified in the 1.7.0 release note. But where to place this file in OFBiz is not obvious! I decided the best way was to use Axis2 ConfigurationContextFactory.createConfigurationContextFromFileSystem() method to let know Axis2 we want the new httpclient instead of the default one (I really don't understand why the Axis2 team still prefers commons-httpclient-3.1 as default). I had to pass both locations to avoid hardcoding the repository location in the axis2.xml file. I have also decided the best place for the "Axis2 repository" (as they call it) was in framework/service/axis2. So following Axis2 convention http://wso2.com/library/tutorials/axis2-repository/ I put the axis2.xml file in framework/service/axis2/conf. Note: the Axis2 repository could be used to put Apache Rampart as a module to secure web services... After this change, there are a number of warnings thrown by Axis2 but they are actually interesting as they provide guidance for future use of modules and such (notably Apache Rampart) ttp-bio-8443-exec-10 Utils W [JAXWS] - unable to load org.apache.axis2.jaxws.dispatchers.GenericProviderDispatcher ttp-bio-8443-exec-10 Utils W [JAXWS] - unable to load org.apache.axis2.jaxws.dispatchers.MustUnderstandValidationDispatcher ttp-bio-8443-exec-10 Utils W [JAXWS] - unable to load org.apache.axis2.jaxws.dispatchers.MustUnderstandChecker ttp-bio-8443-exec-10 Utils W [JAXWS] - unable to load org.apache.axis2.jaxws.dispatchers.GenericProviderDispatcher ttp-bio-8443-exec-10 Utils W [JAXWS] - unable to load org.apache.axis2.jaxws.dispatchers.MustUnderstandValidationDispatcher ttp-bio-8443-exec-10 AxisConfigBuilder W Unable to instantiate deployer org.apache.axis2.deployment.ServiceDeployer; see debug logs for more details ttp-bio-8443-exec-10 AxisConfigBuilder W Unable to instantiate deployer org.apache.axis2.jaxws.framework.JAXWSDeployer; see debug logs for more details While at it I replaced StAXOMBuilder (deprecated) by OMXMLBuilderFactory I will backport the changes in the supporterd releases branches but R12.04. Others all use HttpClient/Core version older than 4.2.1. I'm aware I will have to handle several conflicts by hand, some are easy others "harder". We have the passport component only in R15.12, it will be easy to neglect in older releases. I expect more work with the LICENSE file and even more with the .classpath file. Since R15.12 we use tabs in it (Adrian rightly told us to use Eclipse internal tools to edit this file, though I noted it does not respect the alphabetical order) but older releases still use spaces (and this is often a pain now, but a bright future ahead ) Crossing fingers with this commit, I have other changes pending in this instance (notably for OFBIZ-6849 ) and it got quite complicated.

            People

            • Assignee:
              jacques.le.roux Jacques Le Roux
              Reporter:
              jacques.le.roux Jacques Le Roux
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development

                  Agile