Re: CXF 4.0.0 jakarta release

[Andriy Redko]

Fixed (as part of [1]) all GraalVM samples:

DK> jaxws_graalvm  
DK> jaxws_graalvm_dynamic   
DK> jax_rs/graalvm_basic

Also fixed:

DK> jax_rs/description_openapi_v3_spring - classpath?   Jackson not found
DK> jax_rs/description_openapi_v3_web - classpath?   Jackson not found
DK> jax_rs/sse_tomcat - classpath?   Jackson not found

And will pick these ones:

DK> jax_rs/websocket - gives "WARNING: Websocket protocol not supported" which 
seems to defeat the entire purpose of the sample
DK> jms_spring_config - hangs on client stop
DK> jms_spec_demo - server doesn't start, JNDI, 
org.apache.activemq.jndi.ActiveMQInitialContextFactory (not artemis)
DK> jms_pubsub - broker doesn't start
DK> jax_rs/spring_boot_scan
DK> jax_rs/tracing_brave
DK> jax_rs/tracing_opentracing
DK> jax_rs/tracing_opentracing_camel
DK> jax_rs/description_openapi_microprofile_spring - spring config or claspath 
issue
DK>  java.lang.ClassNotFoundException: 
org.eclipse.microprofile.openapi.models.servers.ServerVariables
DK> jax_rs/spring_security - lots of stack traces on startup, likely spring 
config issues

Here is what's left:

DK> jaxrs/basic_oidc
DK> jaxrs/big_query
DK> corba (weird ORB errors with java17, missing transaction classes with 
java11)
DK> js_browser_client_java_first  (ClassNotFoundException: 
org.eclipse.jetty.util.resource.FileResource)

[1] https://issues.apache.org/jira/browse/CXF-8743

Thanks!

Best Regards,
Andriy Redko


DK> I finished going through all the samples.This is what’s left:

DK> Problems:
DK> jax_rs/description_openapi_microprofile_spring - spring config or claspath 
issue
DK>  java.lang.ClassNotFoundException: 
org.eclipse.microprofile.openapi.models.servers.ServerVariables
DK> jax_rs/description_openapi_v3_spring - classpath?   Jackson not found
DK> jax_rs/description_openapi_v3_web - classpath?   Jackson not found
DK> jax_rs/spring_security - lots of stack traces on startup, likely spring 
config issues
DK> jax_rs/sse_tomcat - classpath?   Jackson not found
DK> jax_rs/websocket - gives "WARNING: Websocket protocol not supported" which 
seems to defeat the entire purpose of the sample
DK> corba (weird ORB errors with java17, missing transaction classes with 
java11)
DK> js_browser_client_java_first  (ClassNotFoundException: 
org.eclipse.jetty.util.resource.FileResource)
DK> jms_spring_config - hangs on client stop
DK> jms_spec_demo - server doesn't start, JNDI, 
org.apache.activemq.jndi.ActiveMQInitialContextFactory (not artemis)
DK> jms_pubsub - broker doesn't start


DK> Did not try:  (M1 mac, not "native-image")
DK> jaxws_graalvm  
DK> jaxws_graalvm_dynamic   
DK> jax_rs/graalvm_basic

DK> Did not try: (other setup things required) (ex: google dev id, docker, 
etc..)
DK> jaxrs/basic_oidc
DK> jaxrs/big_query
DK> jax_rs/spring_boot_scan
DK> jax_rs/tracing_brave
DK> jax_rs/tracing_opentracing
DK> jax_rs/tracing_opentracing_camel


DK> Feel free to grab something and fix it.  :) 

DK> Dan





>> On Dec 12, 2022, at 4:21 PM, Daniel Kulp  wrote:
>> 
>>> 
>>> I passed through all samples to make sure they are compilable and 
>>> buildable, but I only
>>> run a handful of them, it would be great to check that all samples do 
>>> actually work. 
>>> I can take *jms* and *jaxrs* ones, may take a few days though. Sounds like 
>>> a plan? If 
>>> yes, I will create an umbrella issue so we could track individual samples. 
>>> Thank you 
>>> for bringing this on up.
>> 
>> I went through all the other samples (non JMS and non RS) and fixed up the 
>> “easy” ones.   What’s left:
>> 
>> corba (weird ORB errors with java17, missing transaction classes with java11)
>> js_browser_client_java_first  (ClassNotFoundException: 
>> org.eclipse.jetty.util.resource.FileResource)
>> sts  (some spring bean definition issues)
>> ws_notification (jms broker issues)
>> ws_transaction (spring test runner doesn't actually run the test, not sure 
>> why)
>> 
>> 
>> Did not try:  (M1 mac, no  "native-image” available)
>> jaxws_graalvm
>> jaxws_graalvm_dynamic
>> 
>> 
>> 
>> Not sure what to do with the CORBA things….  Likely could add the  
>> javax.transaction things and get it to run with Java11. Might be a case 
>> where the example works on 11 and not 17.   
>> 
>> 
>> Dan
>> 
>> 
>> 
>> 
>> 
>>> 
>>> Best Regards,
>>>   Andriy Redko
>>> 
>>> 
> Yes, as Jim mentioned, most of our tests need JDK-17 to run (because of 
> Spring 6), 
> we also need JDK-17 to compile (same reason), but when Spring is not 
> involved (it is 
> optional by and large), JDK-11 is sufficient. We do have a number of 
> samples (bundled
> with distribution) that run on JDK-11 with no issues. Please let me know 
> your conclusions
> and if you need any help or pointers here. Thank you.
>>> 
>>> DK> Found a minor class loader issue in cxf-core which fixed a couple of 
>>> things related to using spring5. (Non-servlet spring 5) I’ll get that 
>>> committed shortly once test run. 
>>> 
>>> DK> That 

CVE-2022-46364: Apache CXF SSRF Vulnerability

[Colm O hEigeartaigh]

CVE-2022-46364: Apache CXF SSRF Vulnerability

Severity: important

Description:

A SSRF vulnerability in parsing the href attribute of XOP:Include in
MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows
an attacker to perform SSRF style attacks on webservices that take at
least one parameter of any type.

Credit:

thanat0s from Beijin Qihoo 360 adlab (finder) (finder)

References:

https://cxf.apache.org/
https://www.cve.org/CVERecord?id=CVE-2022-46364

Re: CXF 4.0.0 jakarta release

[Daniel Kulp]

I finished going through all the samples.This is what’s left:

Problems:
jax_rs/description_openapi_microprofile_spring - spring config or claspath issue
 java.lang.ClassNotFoundException: 
org.eclipse.microprofile.openapi.models.servers.ServerVariables
jax_rs/description_openapi_v3_spring - classpath?   Jackson not found
jax_rs/description_openapi_v3_web - classpath?   Jackson not found
jax_rs/spring_security - lots of stack traces on startup, likely spring config 
issues
jax_rs/sse_tomcat - classpath?   Jackson not found
jax_rs/websocket - gives "WARNING: Websocket protocol not supported" which 
seems to defeat the entire purpose of the sample
corba (weird ORB errors with java17, missing transaction classes with java11)
js_browser_client_java_first  (ClassNotFoundException: 
org.eclipse.jetty.util.resource.FileResource)
jms_spring_config - hangs on client stop
jms_spec_demo - server doesn't start, JNDI, 
org.apache.activemq.jndi.ActiveMQInitialContextFactory (not artemis)
jms_pubsub - broker doesn't start


Did not try:  (M1 mac, not "native-image")
jaxws_graalvm  
jaxws_graalvm_dynamic   
jax_rs/graalvm_basic

Did not try: (other setup things required) (ex: google dev id, docker, etc..)
jaxrs/basic_oidc
jaxrs/big_query
jax_rs/spring_boot_scan
jax_rs/tracing_brave
jax_rs/tracing_opentracing
jax_rs/tracing_opentracing_camel


Feel free to grab something and fix it.  :) 

Dan





> On Dec 12, 2022, at 4:21 PM, Daniel Kulp  wrote:
> 
>> 
>> I passed through all samples to make sure they are compilable and buildable, 
>> but I only
>> run a handful of them, it would be great to check that all samples do 
>> actually work. 
>> I can take *jms* and *jaxrs* ones, may take a few days though. Sounds like a 
>> plan? If 
>> yes, I will create an umbrella issue so we could track individual samples. 
>> Thank you 
>> for bringing this on up.
> 
> I went through all the other samples (non JMS and non RS) and fixed up the 
> “easy” ones.   What’s left:
> 
> corba (weird ORB errors with java17, missing transaction classes with java11)
> js_browser_client_java_first  (ClassNotFoundException: 
> org.eclipse.jetty.util.resource.FileResource)
> sts  (some spring bean definition issues)
> ws_notification (jms broker issues)
> ws_transaction (spring test runner doesn't actually run the test, not sure 
> why)
> 
> 
> Did not try:  (M1 mac, no  "native-image” available)
> jaxws_graalvm
> jaxws_graalvm_dynamic
> 
> 
> 
> Not sure what to do with the CORBA things….  Likely could add the  
> javax.transaction things and get it to run with Java11. Might be a case where 
> the example works on 11 and not 17.   
> 
> 
> Dan
> 
> 
> 
> 
> 
>> 
>> Best Regards,
>>   Andriy Redko
>> 
>> 
 Yes, as Jim mentioned, most of our tests need JDK-17 to run (because of 
 Spring 6), 
 we also need JDK-17 to compile (same reason), but when Spring is not 
 involved (it is 
 optional by and large), JDK-11 is sufficient. We do have a number of 
 samples (bundled
 with distribution) that run on JDK-11 with no issues. Please let me know 
 your conclusions
 and if you need any help or pointers here. Thank you.
>> 
>> DK> Found a minor class loader issue in cxf-core which fixed a couple of 
>> things related to using spring5. (Non-servlet spring 5) I’ll get that 
>> committed shortly once test run. 
>> 
>> DK> That said, has anyone actually gone through the samples and actually 
>> made sure they work?  They compile OK (with java17), but many don’t actually 
>> work. None of the JMS samples seem to work at all.Some are still 
>> setup to use activemq (might be OK, but the class path doesn’t have 
>> activemq) and others that are setup for Artemis don’t have proper spring 
>> bean configuration for it and the connection factories cannot be created.   
>> I’ve only tested a few samples, but so far I’m seeing a bunch of issues.
>> 
>> 
>> 
>> DK> Dan
>> 
>> 
 
 Best Regards,
  Andriy Redko
 
 DK> On Dec 11, 2022, at 9:36 PM, Jim Ma  wrote:
>> 
>> Hi Andriy,
>> Thanks for the quick update. Good to see this is running with the jenkins
>> pipeline and all tests are green.
>> Did it include all things for the CXF 4.0.0 release ?
 
 DK> I didn’t do the 4.0.0 release as I kind of ran out of time.   My basic 
 tests don’t work with java11, but I didn’t really get time to figure out 
 why yet.   I’m trying to figure out if it’s still actually compatible with 
 java11 or not.   If not, we should bump the jdk.version up.   
 
 
 DK> Dan
 
 
>> 
>> Thanks,
>> Jim
>> 
>> 
>> 
>> 
>> 
>> On Mon, Dec 12, 2022 at 10:06 AM Andriy Redko  wrote:
>> 
>>> Hi Jim,
>>> 
>>> I disabled this build (and
>>> https://ci-builds.apache.org/job/CXF/job/CXF-JDK19/ as well)
>>> because we run pipeline matrix [1] against both JDKs. These builds were
>>> quite useful when
>>> the main 

CVE-2022-46363: Apache CXF directory listing / code exfiltration

[Colm O hEigeartaigh]

Severity: moderate

Description:

A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows
an attacker to perform a remote directory listing or code
exfiltration. The vulnerability only applies when the CXFServlet is
configured with both the static-resources-list and
redirect-query-check attributes. These attributes are not supposed to
be used together, and so the vulnerability can only arise if the CXF
service is misconfigured.

Credit:

thanat0s from Beijin Qihoo 360 adlab (finder)

References:

https://cxf.apache.org/
https://www.cve.org/CVERecord?id=CVE-2022-46363

Re: CXF 4.0.0 jakarta release

[Jim Ma]

I looked at these 3 corba example failures. The hello-world example has
been fixed and the other two examples still have this failure:

  Caused by: org.omg.CORBA.MARSHAL: FINE: 00810007: Underflow in
BufferManagerReadStream after last fragment in message
at jdk.proxy3.$Proxy73.endOfStream (Unknown Source)
at com.sun.corba.ee.impl.encoding.BufferManagerReadStream.underflow
(BufferManagerReadStream.java:113)
at com.sun.corba.ee.impl.encoding.CDRInputStream_1_1.grow
(CDRInputStream_1_1.java:91)
at com.sun.corba.ee.impl.encoding.CDRInputStream_1_2.alignAndCheck
(CDRInputStream_1_2.java:106)
at com.sun.corba.ee.impl.encoding.CDRInputStream_1_0.read_long
(CDRInputStream_1_0.java:374)
at
com.sun.corba.ee.impl.encoding.CDRInputStream_1_0.readStringOrIndirection
(CDRInputStream_1_0.java:411)
at com.sun.corba.ee.impl.encoding.CDRInputStream_1_0.read_string
(CDRInputStream_1_0.java:449)
at com.sun.corba.ee.impl.encoding.CDRInputObject.read_string
(CDRInputObject.java:368)
at com.sun.corba.ee.impl.corba.TypeCodeImpl.copy
(TypeCodeImpl.java:1895)
at com.sun.corba.ee.impl.corba.TypeCodeImpl.copy
(TypeCodeImpl.java:1951)
at com.sun.corba.ee.impl.corba.AnyImpl.read_value (AnyImpl.java:572)
at com.sun.corba.ee.impl.corba.RequestImpl.unmarshalReply
(RequestImpl.java:350)
at com.sun.corba.ee.impl.protocol.MessageMediatorImpl.handleDIIReply
(MessageMediatorImpl.java:441)
at
com.sun.corba.ee.impl.protocol.ClientRequestDispatcherImpl.processResponse
(ClientRequestDispatcherImpl.java:652)
at
com.sun.corba.ee.impl.protocol.ClientRequestDispatcherImpl.marshalingComplete
(ClientRequestDispatcherImpl.java:349)
at com.sun.corba.ee.impl.protocol.ClientDelegateImpl.invoke
(ClientDelegateImpl.java:238)
at com.sun.corba.ee.impl.corba.RequestImpl.doInvocation
(RequestImpl.java:310)
at com.sun.corba.ee.impl.corba.RequestImpl.invoke (RequestImpl.java:230)
at org.apache.cxf.binding.corba.CorbaConduit.buildRequest
(CorbaConduit.java:194)

It seems that extra settings are needed for CorbaConduit when using
glassfish-orb.

Here is my draft work :
 https://github.com/jimma/cxf/commit/ad605d7b006559202b2abb5c50878ebac3a48b0e

I added some comments to my change about fixing these two issues:
1. GMBALTLIB4: Multiple upper bounds not supported on S in glassfish-orb
2. java.lang.IllegalMonitorStateException: attempt to unlock read lock, not
locked by current thread

Hope this will help something.

Thanks,
Jim


On Tue, Dec 13, 2022 at 9:15 AM Andriy Redko  wrote:

> Thanks Dan,
>
> Here is my update.
>
> I have fixed:
>   ws_notification (jms broker issues)
>   ws_transaction (spring test runner doesn't actually run the test, not
> sure why)
>
>
> I will be working on:
>   jaxws_graalvm
>   jaxws_graalvm_dynamic
>
> Not looked yet:
>   corba (weird ORB errors with java17, missing transaction classes with
> java11)
>   js_browser_client_java_first  (ClassNotFoundException:
> org.eclipse.jetty.util.resource.FileResource)
>   sts  (some spring bean definition issues)
>
> Thanks.
>
> Best Regards,
> Andriy Redko
>
> >>
> >> I passed through all samples to make sure they are compilable and
> buildable, but I only
> >> run a handful of them, it would be great to check that all samples do
> actually work.
> >> I can take *jms* and *jaxrs* ones, may take a few days though. Sounds
> like a plan? If
> >> yes, I will create an umbrella issue so we could track individual
> samples. Thank you
> >> for bringing this on up.
>
> DK> I went through all the other samples (non JMS and non RS) and fixed up
> the “easy” ones.   What’s left:
>
> DK> corba (weird ORB errors with java17, missing transaction classes with
> java11)
> DK> js_browser_client_java_first  (ClassNotFoundException:
> org.eclipse.jetty.util.resource.FileResource)
> DK> sts  (some spring bean definition issues)
> DK> ws_notification (jms broker issues)
> DK> ws_transaction (spring test runner doesn't actually run the test, not
> sure why)
>
>
> DK> Did not try:  (M1 mac, no  "native-image” available)
> DK> jaxws_graalvm
> DK> jaxws_graalvm_dynamic
>
>
>
> DK> Not sure what to do with the CORBA things….  Likely could add the
> javax.transaction things and get it to run with Java11. Might be a case
> where the example works on 11 and not 17.
>
>
> DK> Dan
>
>
>
>
>
> >>
> >> Best Regards,
> >>Andriy Redko
> >>
> >>
>  Yes, as Jim mentioned, most of our tests need JDK-17 to run (because
> of Spring 6),
>  we also need JDK-17 to compile (same reason), but when Spring is not
> involved (it is
>  optional by and large), JDK-11 is sufficient. We do have a number of
> samples (bundled
>  with distribution) that run on JDK-11 with no issues. Please let me
> know your conclusions
>  and if you need any help or pointers here. Thank you.
> >>
> >> DK> Found a minor class loader issue in cxf-core which fixed a couple
> of things