Hello Axis2 Community, Axis2 has what appears to be a seldom used optional feature - clustering - and it has been brought to our attention that it has insecure code, demonstrated by a small proof of concept exploitation.
To be clear - you have to manually enable clustering. It is off by default. This clustering support has a dependency on Tomcat 11, which was recently discussed by the committers as odd and no one knows about any users. Apache policy is not to disclose details on public lists - if interested in creating a GitHub PR for a fix - send me an email. If you are interested in keeping clustering in Axis2 but are not able to contribute code - let us know. If no one speaks up, we will plan for a 2.0.1 release without clustering.
