Bug 1028865 - The fix for CVE-2012-2379 introduced a new deployment issue to JBoss WS CXF
The fix for CVE-2012-2379 introduced a new deployment issue to JBoss WS CXF
Status: CLOSED ERRATA
Product: JBoss Enterprise SOA Platform 5
Classification: JBoss
Component: JBossWS (Show other bugs)
5.3.1
Unspecified Unspecified
high Severity high
: GA
: ---
Assigned To: Julian Coleman
:
Depends On: CVE-2012-2379
Blocks: 1073034
  Show dependency treegraph
 
Reported: 2013-11-11 00:32 EST by Tadayoshi Sato
Modified: 2014-08-26 00:09 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-08-26 00:09:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
reproducer (ws impl) (9.77 KB, application/zip)
2013-11-11 00:34 EST, Tadayoshi Sato
no flags Details
reproducer (wsdl) (1.14 KB, application/x-java-archive)
2013-11-11 00:35 EST, Tadayoshi Sato
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker JBPAPP-10903 Major Resolved CVE-2012-2379 fix introduced a new deployment issue to JBoss WS CXF 2014-08-26 00:08:26 EDT

  None (edit)
Description Tadayoshi Sato 2013-11-11 00:32:00 EST
CVE-2012-2379 (BZ-826534) seems to have introduced the following issue to SOA-P 5.3.1.

Given we have the following web service:

@WebService(... wsdlLocation = "classpath:/greeting.wsdl")
public class GreetingServiceImpl implements GreetingService {
  ...

and we have separate packages for the web service impl and WSDL, say, example-ws.war and example-wsdl.jar, deploying example-wsdl.jar to $PROFILE/lib (or $JBOSS_HOME/jboss-as/common/lib) and then example-ws.war to $PROFILE/deploy leads to the following error at deployment time.

org.jboss.deployers.spi.DeploymentException: Error during deploy: vfszip:/opt/jboss-soa-p-5.3.1-cxf/jboss-as/server/default/deploy/example-ws.war/
	at org.jboss.deployers.spi.DeploymentException.rethrowAsDeploymentException(DeploymentException.java:49)
	at org.jboss.deployers.plugins.deployers.DeployerWrapper.deploy(DeployerWrapper.java:185)
	at org.jboss.deployers.plugins.deployers.DeployersImpl.doDeploy(DeployersImpl.java:1454)
	at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:1172)
	at org.jboss.deployers.plugins.deployers.DeployersImpl.install(DeployersImpl.java:1113)
	at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:348)
	at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1652)
	at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:938)
	at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:1082)
	at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:988)
	at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:826)
	at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:556)
	at org.jboss.deployers.plugins.deployers.DeployersImpl.process(DeployersImpl.java:789)
	at org.jboss.deployers.plugins.main.MainDeployerImpl.process(MainDeployerImpl.java:699)
	at org.jboss.system.server.profileservice.repository.MainDeployerAdapter.process(MainDeployerAdapter.java:117)
	at org.jboss.system.server.profileservice.hotdeploy.HDScanner.scan(HDScanner.java:409)
	at org.jboss.system.server.profileservice.hotdeploy.HDScanner.run(HDScanner.java:294)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
	at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:744)
Caused by: java.lang.RuntimeException: java.io.IOException: Could not find classpath:/greeting.wsdl in the additional metadatafiles!
	at org.jboss.wsf.stack.cxf.DescriptorDeploymentAspect.checkCVE20122379(DescriptorDeploymentAspect.java:267)
	at org.jboss.wsf.stack.cxf.DescriptorDeploymentAspect.create(DescriptorDeploymentAspect.java:83)
	at org.jboss.wsf.framework.deployment.DeploymentAspectManagerImpl.deploy(DeploymentAspectManagerImpl.java:115)
	at org.jboss.wsf.container.jboss50.deployer.ArchiveDeployerHook.deploy(ArchiveDeployerHook.java:76)
	at org.jboss.wsf.container.jboss50.deployer.AbstractWebServiceDeployer.internalDeploy(AbstractWebServiceDeployer.java:60)
	at org.jboss.deployers.spi.deployer.helpers.AbstractRealDeployer.deploy(AbstractRealDeployer.java:55)
	at org.jboss.deployers.plugins.deployers.DeployerWrapper.deploy(DeployerWrapper.java:179)
	... 22 more
Caused by: java.io.IOException: Could not find classpath:/greeting.wsdl in the additional metadatafiles!
	at org.jboss.wsf.framework.deployment.ResourceResolverImpl.resolve(ResourceResolverImpl.java:121)
	at org.jboss.wsf.stack.cxf.DescriptorDeploymentAspect.checkCVE20122379(DescriptorDeploymentAspect.java:261)
	... 28 more
Comment 1 Tadayoshi Sato 2013-11-11 00:34:48 EST
Created attachment 822275 [details]
reproducer (ws impl)
Comment 2 Tadayoshi Sato 2013-11-11 00:35:44 EST
Created attachment 822276 [details]
reproducer (wsdl)
Comment 6 JBoss JIRA Server 2013-11-26 09:36:06 EST
R Searls <rsearls@redhat.com> updated the status of jira JBPAPP-10903 to Coding In Progress
Comment 7 JBoss JIRA Server 2013-12-04 08:14:44 EST
R Searls <rsearls@redhat.com> made a comment on jira JBPAPP-10903

Fix made in https://svn.jboss.org/repos/jbossws/framework/branches/jbossws-framework-3.1.2
File changed: src/main/java/org/jboss/wsf/framework/deployment/ResourceResolverImpl.java
Change diff see attachment.
Comment 8 JBoss JIRA Server 2013-12-04 08:18:25 EST
R Searls <rsearls@redhat.com> updated the status of jira JBPAPP-10903 to Resolved
Comment 10 Rick Wagner 2014-04-22 13:28:44 EDT
Hi Neil,

I'll do it now.  So long as we have the code, I don't think it matters who advances the BZ.  

Thanks,

Rick
Comment 11 ppecka 2014-05-28 10:28:24 EDT
Issue has been VERIFIED with bits from BZ1073034

Note You need to log in before you can comment on or make changes to this bug.