[jira] [Updated] (CXF-9009) Async operations fail in concurrent calls
[ https://issues.apache.org/jira/browse/CXF-9009?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andriy Redko updated CXF-9009: -- Fix Version/s: 3.5.9 4.1.0 4.0.5 3.6.4 > Async operations fail in concurrent calls > - > > Key: CXF-9009 > URL: https://issues.apache.org/jira/browse/CXF-9009 > Project: CXF > Issue Type: Bug > Components: JAX-WS Runtime >Affects Versions: 3.5.8, 3.6.3, 4.0.4 >Reporter: Julio J. Gomez Diaz >Assignee: Andriy Redko >Priority: Major > Fix For: 3.5.9, 4.1.0, 4.0.5, 3.6.4 > > Attachments: spring-soap.zip > > > An exception occurs when a SOAP client is used concurrently in async > operations, the exception is as follows: > > > {code:java} > org.apache.cxf.interceptor.Fault: Could not send Message. > at > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:67) > ~[cxf-core-4.0.4.jar:4.0.4] > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) > ~[cxf-core-4.0.4.jar:4.0.4] > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530) > ~[cxf-core-4.0.4.jar:4.0.4] > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:434) > ~[cxf-core-4.0.4.jar:4.0.4] > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:412) > ~[cxf-core-4.0.4.jar:4.0.4] > at > org.apache.cxf.jaxws.JaxWsClientProxy.invokeAsync(JaxWsClientProxy.java:326) > ~[cxf-rt-frontend-jaxws-4.0.4.jar:4.0.4] > at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138) > ~[cxf-rt-frontend-jaxws-4.0.4.jar:4.0.4] > at jdk.proxy2/jdk.proxy2.$Proxy95.countAsync(Unknown Source) ~[na:na] > at > com.example.demo.rest.RestController.lambda$async$1(RestController.java:25) > ~[classes/:na] > at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317) > ~[na:na] > at > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) > ~[na:na] > at > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) > ~[na:na] > at java.base/java.lang.Thread.run(Thread.java:1583) ~[na:na] > Caused by: io.netty.channel.StacklessClosedChannelException: null > at > io.netty.channel.AbstractChannel$AbstractUnsafe.ensureOpen(ChannelPromise)(Unknown > Source) ~[netty-transport-4.1.109.Final.jar:4.1.109.Final]{code} > > I created an reproducer application (find attached "spring-soap.zip") that > acts as client and server, and this publishes the following operations: > * [http://localhost:8080/async] -> it uses a soap client to call > concurrently using an async operation (this {*}fails with the exception > previously described{*}) > * [http://localhost:8080/sync] -> it uses a soap client to call concurrently > using an ordinary operation (ends without errors) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (CXF-9009) Async operations fail in concurrent calls
[ https://issues.apache.org/jira/browse/CXF-9009?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andriy Redko updated CXF-9009: -- Affects Version/s: 3.6.3 3.5.8 > Async operations fail in concurrent calls > - > > Key: CXF-9009 > URL: https://issues.apache.org/jira/browse/CXF-9009 > Project: CXF > Issue Type: Bug > Components: JAX-WS Runtime >Affects Versions: 3.5.8, 3.6.3, 4.0.4 >Reporter: Julio J. Gomez Diaz >Assignee: Andriy Redko >Priority: Major > Attachments: spring-soap.zip > > > An exception occurs when a SOAP client is used concurrently in async > operations, the exception is as follows: > > > {code:java} > org.apache.cxf.interceptor.Fault: Could not send Message. > at > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:67) > ~[cxf-core-4.0.4.jar:4.0.4] > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) > ~[cxf-core-4.0.4.jar:4.0.4] > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530) > ~[cxf-core-4.0.4.jar:4.0.4] > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:434) > ~[cxf-core-4.0.4.jar:4.0.4] > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:412) > ~[cxf-core-4.0.4.jar:4.0.4] > at > org.apache.cxf.jaxws.JaxWsClientProxy.invokeAsync(JaxWsClientProxy.java:326) > ~[cxf-rt-frontend-jaxws-4.0.4.jar:4.0.4] > at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138) > ~[cxf-rt-frontend-jaxws-4.0.4.jar:4.0.4] > at jdk.proxy2/jdk.proxy2.$Proxy95.countAsync(Unknown Source) ~[na:na] > at > com.example.demo.rest.RestController.lambda$async$1(RestController.java:25) > ~[classes/:na] > at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317) > ~[na:na] > at > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) > ~[na:na] > at > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) > ~[na:na] > at java.base/java.lang.Thread.run(Thread.java:1583) ~[na:na] > Caused by: io.netty.channel.StacklessClosedChannelException: null > at > io.netty.channel.AbstractChannel$AbstractUnsafe.ensureOpen(ChannelPromise)(Unknown > Source) ~[netty-transport-4.1.109.Final.jar:4.1.109.Final]{code} > > I created an reproducer application (find attached "spring-soap.zip") that > acts as client and server, and this publishes the following operations: > * [http://localhost:8080/async] -> it uses a soap client to call > concurrently using an async operation (this {*}fails with the exception > previously described{*}) > * [http://localhost:8080/sync] -> it uses a soap client to call concurrently > using an ordinary operation (ends without errors) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (CXF-9009) Async operations fail in concurrent calls
[ https://issues.apache.org/jira/browse/CXF-9009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17847413#comment-17847413 ] Andriy Redko commented on CXF-9009: --- {noformat} May 17, 2024 2:52:39 P.M. io.netty.channel.ChannelInitializer exceptionCaughtWARNING: Failed to initialize a channel. Closing: [id: 0xe5e4c70d]java.lang.IllegalStateException: complete already: DefaultChannelPromise@1876fa2c(success) at io.netty.util.concurrent.DefaultPromise.setSuccess(DefaultPromise.java:100) at io.netty.channel.DefaultChannelPromise.setSuccess(DefaultChannelPromise.java:78) at org.apache.cxf.transport.http.netty.client.NettyHttpClientPipelineFactory.initChannel(NettyHttpClientPipelineFactory.java:187) at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129) at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112) at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1130) at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:609) at io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:46) at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1463) at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1115) at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:650) at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:514) at io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:429) at io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:486) at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173) at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166) at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:470) at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:569) at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:833) {noformat} For the record, this is the real cause of the issue. > Async operations fail in concurrent calls > - > > Key: CXF-9009 > URL: https://issues.apache.org/jira/browse/CXF-9009 > Project: CXF > Issue Type: Bug > Components: JAX-WS Runtime >Affects Versions: 4.0.4 >Reporter: Julio J. Gomez Diaz >Assignee: Andriy Redko >Priority: Major > Attachments: spring-soap.zip > > > An exception occurs when a SOAP client is used concurrently in async > operations, the exception is as follows: > > > {code:java} > org.apache.cxf.interceptor.Fault: Could not send Message. > at > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:67) > ~[cxf-core-4.0.4.jar:4.0.4] > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) > ~[cxf-core-4.0.4.jar:4.0.4] > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530) > ~[cxf-core-4.0.4.jar:4.0.4] > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:434) > ~[cxf-core-4.0.4.jar:4.0.4] > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:412) > ~[cxf-core-4.0.4.jar:4.0.4] > at > org.apache.cxf.jaxws.JaxWsClientProxy.invokeAsync(JaxWsClientProxy.java:326) > ~[cxf-rt-frontend-jaxws-4.0.4.jar:4.0.4] > at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138) > ~[cxf-rt-frontend-jaxws-4.0.4.jar:4.0.4] > at jdk.proxy2/jdk.proxy2.$Proxy95.countAsync(Unknown Source) ~[na:na] > at > com.example.demo.rest.RestController.lambda$async$1(RestController.java:25) > ~[classes/:na] > at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317) > ~[na:na] > at > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) > ~[na:na] > at > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) > ~[na:na] > at java.base/java.lang.Thread.run(Thread.java:1583) ~[na:na] > Caused by: io.netty.channel.StacklessClosedChannelException: null > at > io.netty.channel.AbstractChannel$AbstractUnsafe.ensureOpen(ChannelPromise)(Unknown > Source) ~[netty-transport-4.1.109.Final.jar:4.1.109.Final]{code} > > I created an reproducer application (find att
[jira] [Resolved] (CXF-9002) JAXRSMultithreadedClientTest test cases failing on IBM JDK.
[ https://issues.apache.org/jira/browse/CXF-9002?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andriy Redko resolved CXF-9002. --- Resolution: Fixed > JAXRSMultithreadedClientTest test cases failing on IBM JDK. > --- > > Key: CXF-9002 > URL: https://issues.apache.org/jira/browse/CXF-9002 > Project: CXF > Issue Type: Test > Components: JAX-RS >Affects Versions: 4.0.4 >Reporter: Jamie Mark Goodyear >Priority: Major > > JAXRSMultithreadedClientTest test cases failing on IBM JDK (Semeru 17). > There is a JAXRS system test failure for {{JAXRSMultithreadedClientTest}} > test cases: > JAXRSMultithreadedClientTest.testStatefulWebClientThreadLocalWithCopy > JAXRSMultithreadedClientTest.testStatefulWebClientWithCopy > JAXRSMultithreadedClientTest.testThreadSafeProxyWithCopy > The commonality between these tests are \{{threadSafe }}is set to false, > which triggers a copy of existing client with WebClient.fromClient. > The error traces contains the following shape: > {code:java} > Exception in thread "pool-12-thread-2" java.lang.AssertionError: > WebClientWorker thread failed for 10,value10 at > org.junit.Assert.fail(Assert.java:89) at > org.apache.cxf.systest.jaxrs.JAXRSMultithreadedClientTest$WebClientWorker.run(JAXRSMultithreadedClientTest.java:208) > at > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) > at > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) > at java.base/java.lang.Thread.run(Thread.java:857) at > org.apache.cxf.transport.http.HttpClientHTTPConduit$HttpClientWrappedOutputStream.getResponse(HttpClientHTTPConduit.java:751) > at > org.apache.cxf.transport.http.HttpClientHTTPConduit$HttpClientWrappedOutputStream.getResponseCode(HttpClientHTTPConduit.java:760) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1653) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1684) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1626) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1420) > ... 19 more Caused by: java.lang.InterruptedException at > java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:386) > at > java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2096) > at > org.apache.cxf.transport.http.HttpClientHTTPConduit$HttpClientWrappedOutputStream.getResponse(HttpClientHTTPConduit.java:731) > ... 24 more Exception in thread "pool-12-thread-4" java.lang.AssertionError: > WebClientWorker thread failed for 8,value8 at > org.junit.Assert.fail(Assert.java:89) at > org.apache.cxf.systest.jaxrs.JAXRSMultithreadedClientTest$WebClientWorker.run(JAXRSMultithreadedClientTest.java:208) > at > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) > at > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) > at java.base/java.lang.Thread.run(Thread.java:857) {code} > When this suite is run on Hotspot based JVMs, the test cases pass.This is > reproducible by changing directory to systests/jaxrs, then executing: > ` > {{mvn clean install -Dtest=JAXRSMultithreadedClientTest}} > {{`}} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (CXF-9002) JAXRSMultithreadedClientTest test cases failing on IBM JDK.
[ https://issues.apache.org/jira/browse/CXF-9002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17847265#comment-17847265 ] Jamie Mark Goodyear commented on CXF-9002: -- Returning to check this branch - the JAXRSMultithreadedClientTest suite is now passing builds on IBM Java. > JAXRSMultithreadedClientTest test cases failing on IBM JDK. > --- > > Key: CXF-9002 > URL: https://issues.apache.org/jira/browse/CXF-9002 > Project: CXF > Issue Type: Test > Components: JAX-RS >Affects Versions: 4.0.4 >Reporter: Jamie Mark Goodyear >Priority: Major > > JAXRSMultithreadedClientTest test cases failing on IBM JDK (Semeru 17). > There is a JAXRS system test failure for {{JAXRSMultithreadedClientTest}} > test cases: > JAXRSMultithreadedClientTest.testStatefulWebClientThreadLocalWithCopy > JAXRSMultithreadedClientTest.testStatefulWebClientWithCopy > JAXRSMultithreadedClientTest.testThreadSafeProxyWithCopy > The commonality between these tests are \{{threadSafe }}is set to false, > which triggers a copy of existing client with WebClient.fromClient. > The error traces contains the following shape: > {code:java} > Exception in thread "pool-12-thread-2" java.lang.AssertionError: > WebClientWorker thread failed for 10,value10 at > org.junit.Assert.fail(Assert.java:89) at > org.apache.cxf.systest.jaxrs.JAXRSMultithreadedClientTest$WebClientWorker.run(JAXRSMultithreadedClientTest.java:208) > at > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) > at > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) > at java.base/java.lang.Thread.run(Thread.java:857) at > org.apache.cxf.transport.http.HttpClientHTTPConduit$HttpClientWrappedOutputStream.getResponse(HttpClientHTTPConduit.java:751) > at > org.apache.cxf.transport.http.HttpClientHTTPConduit$HttpClientWrappedOutputStream.getResponseCode(HttpClientHTTPConduit.java:760) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1653) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1684) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1626) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1420) > ... 19 more Caused by: java.lang.InterruptedException at > java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:386) > at > java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2096) > at > org.apache.cxf.transport.http.HttpClientHTTPConduit$HttpClientWrappedOutputStream.getResponse(HttpClientHTTPConduit.java:731) > ... 24 more Exception in thread "pool-12-thread-4" java.lang.AssertionError: > WebClientWorker thread failed for 8,value8 at > org.junit.Assert.fail(Assert.java:89) at > org.apache.cxf.systest.jaxrs.JAXRSMultithreadedClientTest$WebClientWorker.run(JAXRSMultithreadedClientTest.java:208) > at > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) > at > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) > at java.base/java.lang.Thread.run(Thread.java:857) {code} > When this suite is run on Hotspot based JVMs, the test cases pass.This is > reproducible by changing directory to systests/jaxrs, then executing: > ` > {{mvn clean install -Dtest=JAXRSMultithreadedClientTest}} > {{`}} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (CXF-9017) Regression in proxy-based restful client
[ https://issues.apache.org/jira/browse/CXF-9017?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17847258#comment-17847258 ] Andriy Redko commented on CXF-9017: --- [~iiliev2] is it the duplicate of https://issues.apache.org/jira/browse/CXF-8992 (same cause)? thank you > Regression in proxy-based restful client > > > Key: CXF-9017 > URL: https://issues.apache.org/jira/browse/CXF-9017 > Project: CXF > Issue Type: Bug >Reporter: Ivan Iliev >Priority: Critical > > The memory leak fix introduced in > https://issues.apache.org/jira/browse/CXF-8946 breaks the way the > ClientProxyImpl works. It passes its ClientConfiguration down to sub-proxies. > When those sub-proxies get garbage collected, that configuration gets closed. > One of the objects that are closed is AbstractConduitSelector -> conduits. > After that, any newly created sub-proxies will have misconfigured clients. > For example, we are configuring TLSClientParameters on the conduit of the > root, which gets wiped out and therefore the new child clients can no longer > connect. > {code:java} > API api = JAXRSClientFactory.create(endpoint, , getCxfProviders(), > true); // root proxy > configure(api);//add TLSClientParameters > SomeResource s = api.getSomeResource(); // sub-proxy > > > SomeOtherResource s2 = api.get(); //broken{code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (CXF-9016) Upgrade Spring-Framework to 5.3.34 in Apache-cxf
[ https://issues.apache.org/jira/browse/CXF-9016?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andriy Redko resolved CXF-9016. --- Resolution: Information Provided It was done already > Upgrade Spring-Framework to 5.3.34 in Apache-cxf > > > Key: CXF-9016 > URL: https://issues.apache.org/jira/browse/CXF-9016 > Project: CXF > Issue Type: Improvement >Affects Versions: 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.6.3 >Reporter: Nikhil >Priority: Major > > We have a high severity security issue with spring-framework :: > h2. Affected Spring Products and Versions > Spring Framework > * 6.1.0 - 6.1.5 > * 6.0.0 - 6.0.18 > * 5.3.0 - 5.3.33 > * Older, unsupported versions are also affected > > {*}Summary{*}: Applications that use UriComponentsBuilder in Spring Framework > to parse an externally provided URL (e.g. through a query parameter) AND > perform validation checks on the host of the parsed URL may be vulnerable to > a open redirect [https://cwe.mitre.org/data/definitions/601.html] attack or > to a SSRF attack if the URL is used after passing validation checks. > This is the same as CVE-2024-22243 > [https://spring.io/security/cve-2024-22243] , but with different input. > > *Note:* This is the same as *CVE-2024-22259* and {*}CVE-2024-22243{*}, but > with different input. > – > All these issues were fixed in Spring-Framework *5.3.34* > > *Could you please review and update Spring-Framework as needed in CXF package > ?* -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (CXF-9017) Regression in proxy-based restful client
Ivan Iliev created CXF-9017: --- Summary: Regression in proxy-based restful client Key: CXF-9017 URL: https://issues.apache.org/jira/browse/CXF-9017 Project: CXF Issue Type: Bug Reporter: Ivan Iliev The memory leak fix introduced in https://issues.apache.org/jira/browse/CXF-8946 breaks the way the ClientProxyImpl works. It passes its ClientConfiguration down to sub-proxies. When those sub-proxies get garbage collected, that configuration gets closed. One of the objects that are closed is AbstractConduitSelector -> conduits. After that, any newly created sub-proxies will have misconfigured clients. For example, we are configuring TLSClientParameters on the conduit of the root, which gets wiped out and therefore the new child clients can no longer connect. {code:java} API api = JAXRSClientFactory.create(endpoint, , getCxfProviders(), true); // root proxy configure(api);//add TLSClientParameters SomeResource s = api.getSomeResource(); // sub-proxy SomeOtherResource s2 = api.get(); //broken{code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (CXF-9016) Upgrade Spring-Framework to 5.3.34 in Apache-cxf
[ https://issues.apache.org/jira/browse/CXF-9016?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nikhil updated CXF-9016: Description: We have a high severity security issue with spring-framework :: h2. Affected Spring Products and Versions Spring Framework * 6.1.0 - 6.1.5 * 6.0.0 - 6.0.18 * 5.3.0 - 5.3.33 * Older, unsupported versions are also affected {*}Summary{*}: Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect [https://cwe.mitre.org/data/definitions/601.html] attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 [https://spring.io/security/cve-2024-22243] , but with different input. *Note:* This is the same as *CVE-2024-22259* and {*}CVE-2024-22243{*}, but with different input. – All these issues were fixed in Spring-Framework *5.3.34* *Could you please review and update Spring-Framework as needed in CXF package ?* was: We have a high severity security issue with spring-framework which is affected the below spring-framework versions :: {*}Summary{*}: Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect [https://cwe.mitre.org/data/definitions/601.html] attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 [https://spring.io/security/cve-2024-22243] , but with different input. *Note:* This is the same as *CVE-2024-22259* and {*}CVE-2024-22243{*}, but with different input. -- All these issues were fixed in Spring-Framework *5.3.34* Could you please review and update Spring-Framework as needed in CXF package ? > Upgrade Spring-Framework to 5.3.34 in Apache-cxf > > > Key: CXF-9016 > URL: https://issues.apache.org/jira/browse/CXF-9016 > Project: CXF > Issue Type: Improvement >Affects Versions: 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.6.3 >Reporter: Nikhil >Priority: Major > > We have a high severity security issue with spring-framework :: > h2. Affected Spring Products and Versions > Spring Framework > * 6.1.0 - 6.1.5 > * 6.0.0 - 6.0.18 > * 5.3.0 - 5.3.33 > * Older, unsupported versions are also affected > > {*}Summary{*}: Applications that use UriComponentsBuilder in Spring Framework > to parse an externally provided URL (e.g. through a query parameter) AND > perform validation checks on the host of the parsed URL may be vulnerable to > a open redirect [https://cwe.mitre.org/data/definitions/601.html] attack or > to a SSRF attack if the URL is used after passing validation checks. > This is the same as CVE-2024-22243 > [https://spring.io/security/cve-2024-22243] , but with different input. > > *Note:* This is the same as *CVE-2024-22259* and {*}CVE-2024-22243{*}, but > with different input. > – > All these issues were fixed in Spring-Framework *5.3.34* > > *Could you please review and update Spring-Framework as needed in CXF package > ?* -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (CXF-9016) Upgrade Spring-Framework to 5.3.34 in Apache-cxf
Nikhil created CXF-9016: --- Summary: Upgrade Spring-Framework to 5.3.34 in Apache-cxf Key: CXF-9016 URL: https://issues.apache.org/jira/browse/CXF-9016 Project: CXF Issue Type: Improvement Affects Versions: 3.6.3, 3.5.8, 3.5.7, 3.5.6, 3.5.5 Reporter: Nikhil We have a high severity security issue with spring-framework which is affected the below spring-framework versions :: {*}Summary{*}: Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect [https://cwe.mitre.org/data/definitions/601.html] attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 [https://spring.io/security/cve-2024-22243] , but with different input. *Note:* This is the same as *CVE-2024-22259* and {*}CVE-2024-22243{*}, but with different input. -- All these issues were fixed in Spring-Framework *5.3.34* Could you please review and update Spring-Framework as needed in CXF package ? -- This message was sent by Atlassian Jira (v8.20.10#820010)