Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 7. Known Issues

The following subsections describe the known issues in version 7.0.

7.1. CVE Security Vulnerabilities

As a middleware integration platform, Fuse can potentially be integrated with a large number of third-party components. It is not always possible to exclude the possibility that some third-party dependencies of Fuse could have security vulnerabilities. This section documents known security vulnerabilities affecting third-party dependencies of Fuse 7.0.

ENTESB-12489 CVE-2019-9827 - Fuse Console standalone on Amazon Web Services
Due to security concerns, you should not deploy a standalone Fuse application to Amazon Web Services (AWS). This restriction applies to all supported standalone environments (Spring Boot 1.x and 2.x, Karaf, and Red Hat JBoss Enterprise Application Platform). If you want to deploy the Fuse Console standalone on AWS, it is highly recommended that you upgrade to Fuse 7.7 or later and disable the Fuse Console’s proxy servlet by setting the hawtio.disableProxy system property to true.
CVE-2017-12629 Solr/Lucene -security bypass to access sensitive data - CVE-2017-12629

Apache Solr is a popular open source search platform that uses the Apache Lucene search engine. If your application uses a combination of Apache Solr with Apache Lucene (for example, when using the Camel Solr component), it could be affected by this security vulnerability. Please consult the linked security advisory for more details of this vulnerability and the mitigation steps to take.

Note

The Fuse runtime does not use Apache Solr or Apache Lucene directly. The security risk only arises, if you are using Apache Solr and Apache Lucene together in the context of an integration application (for example, when using the Camel Solr component).

Multiple CVEs Multiple CVEs related to jackson-databind security vulnerability

Applications that that use the FasterXML jackson-databind library to instantiate Java objects by deserializing JSON content are potentially vulnerable to a remote code execution attack. The vulnerability is not automatic, however, and it can be avoided if you take the appropriate mitigation steps.

At a minimum, the following prerequisites must all be satisfied before an attack becomes possible:

  1. You have enabled polymorphic type handling for deserialization of JSON content in jackson-databind. There are two alternative ways of enabling polymorphic type handling in Jackson JSON:

    1. Using a combination of the @JsonTypeInfo and @JsonSubTypes annotations.
    2. By calling the ObjectMapper.enableDefaultTyping() method. This option is particularly dangerous, as it effectively enables polymorphic typing globally.
  2. There are one or more gadget classes in your Java classpath, which have not yet been blacklisted by the current version of jackson-databind. A gadget class is defined as any class that performs a sensitive (potentially exploitable) operation as a side effect of executing a constructor or a setter method (which are the methods that can be called during a deserialization). The gadget blacklist maintained by the Jackson JSON library is the last line of defence against the remote code execution vulnerability.

It is the existence of a large number of gadget classes which explains why there are many individual CVEs related to the jackson-databind vulnerability. There are different CVEs related to different kinds of gadget class.

If you do need to use the jackson-databind library in your application, the most important measure you can take to mitigate the risk is this: avoid polymorphic type handling in Jackson JSON and on no account should you call the ObjectMapper.enableDefaultTyping() method.

7.2. Fuse Online

The Fuse Online distribution and the Ignite UI have the following known issues:

2587 Cancel has no effect when importing integration
While importing an integration, pressing the Cancel button is not effective: the import happens anyway.
1558 "Save as draft" and "Publish" buttons
Both the Save as draft button and the Publish button remain active, even after a user has clicked on one of the buttons and started stepping through the procedure.
2163 Integration Editor: Save as Draft should display notification on success
After pressing the Save as Draft button, there is no success notification when the draft is saved successfully (in the event of an error, on the other hand, there is an error notification).
2561 Create LOGOUT Endpoint

When logout is invoked, it does not reliably clear all of the cookies for Ignite. Each environment with a different authentication provider (for example, RH-SSO or GitHub) presents different symptoms. Basic Authentication seems to be the most reliable, but problems have been reported in Firefox.

To avoid problems with stale cookies after logout, it is recommended that you clear the cache of Ignite cookies on your browser after logging out.

2579 Activity Log is inconsistent
The Activity Log is inconsistent due to limited ability to monitor Camel exchanges, which can be altered by any component present in the Integration.
698 DB Connector: SQL parser doesn’t recognize parameters for LIKE
In SQL statements containing the LIKE keyword (for example, DELETE FROM TODO WHERE task LIKE ‘:#param’), the LIKE keyword cannot be used with datamapper parameters, such as :#param.

7.3. Fuse on OpenShift

This section lists issues that affect the deployment of Fuse applications on OpenShift. For details of issues affecting specific containers, see also the sections for Spring Boot, Fuse on Apache Karaf, and Fuse on JBoss EAP. The Fuse on OpenShift distribution has the following known issues:

OSFUSE-849 karaf-camel-amq - wrong service amqp name
In the karaf-camel-amq quickstart, before running the quickstart with the fabric8 Maven plugin, you must configure the src/main/fabric8/deployment.yml file to use the correct remote instance of AMQ EnMasse. The AMQP_SERVICE_NAME environment variable must point to the hostname of the external messaging route exposed by EnMasse. The quickstart must run on a different OpenShift project from the one where EnMasse is deployed.
OSFUSE-848 karaf-camel-amq - missing log output in Openshift log
The karaf-camel-amq quickstart does not emit any output in the OpenShift log console because of an incorrect log configuration. Either delete the src/main/resources/assembly/etc/org.ops4j.pax.logging.cfg file to use the default configuration or provide a log4j2 configuration file (for example, like the one present in the karaf-camel-log quickstart).
OSFUSE-718 [OSO][OCP 3.7] f-m-p redeployments failing to deploy

When deploying a Fuse on OpenShift application to OpenShift Container Platform 3.7 using the Fabric8 Maven plugin, you cannot redeploy the application using the command mvn fabric8:deploy. That is, the first time you deploy using mvn fabric8:deploy, the operation succeeds, but the second (and subsequent attempts) fail silently. The workaround is to undeploy before you redeploy, as follows: 

mvn fabric8:undeploy
mvn fabric8:deploy

7.4. Fuse on Spring Boot

Fuse on Spring Boot has the following known issues:

ENTESB-8118 Netty version alignment
In the Fuse 7.0 GA release, the version of Netty used by the ActiveMQ Artemis client is out of alignment with the version of Netty used by the Camel Netty component. If you use both of these components together in a Spring Boot application, two conflicting versions of Netty will be loaded into the classpath and you are likely to get errors such as NoSuchMethodError.
OSFUSE-836 spring-boot-cxf (jaxrs, jaxws) - ClassNotFoundException

In the Fuse 7.0 GA release, the spring-boot-cxf-jaxrs and spring-boot-cxf-jaxws quickstarts for Fuse on OpenShift raise a ClassNotFoundException exception when building the project.

You can fix this error in the spring-boot-cxf-jaxws quickstart by editing the project’s pom.xml file to add the correct version of the logback-core dependency, as follows: 

      <dependency>
        <groupId>org.apache.cxf</groupId>
        <artifactId>cxf-spring-boot-starter-jaxws</artifactId>
        <exclusions>
          <exclusion>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-tomcat</artifactId>
          </exclusion>
          <exclusion>
            <groupId>ch.qos.logback</groupId>
            <artifactId>logback-core</artifactId>
          </exclusion>
        </exclusions>
      </dependency>
      <dependency>
        <groupId>ch.qos.logback</groupId>
        <artifactId>logback-core</artifactId>
        <version>1.1.11</version>
      </dependency>

You can fix this error in the spring-boot-cxf-jaxrs quickstart by editing the project’s pom.xml file to add the correct version of the logback-core dependency and the guava dependency version, as follows: 

      <dependency>
        <groupId>org.apache.cxf</groupId>
        <artifactId>cxf-spring-boot-starter-jaxrs</artifactId>
        <exclusions>
          <exclusion>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-tomcat</artifactId>
          </exclusion>
          <exclusion>
            <groupId>ch.qos.logback</groupId>
            <artifactId>logback-core</artifactId>
          </exclusion>
        </exclusions>
      </dependency>
      <dependency>
        <groupId>ch.qos.logback</groupId>
        <artifactId>logback-core</artifactId>
        <version>1.1.11</version>
      </dependency>
      ...
      <dependency>
        <groupId>io.swagger</groupId>
        <artifactId>swagger-jaxrs</artifactId>
        <exclusions>
          <exclusion>
            <groupId>com.google.guava</groupId>
            <artifactId>guava</artifactId>
          </exclusion>
         </exclusions>
      </dependency>

      <dependency>
        <groupId>com.google.guava</groupId>
        <artifactId>guava</artifactId>
        <version>20.0</version>
      </dependency>

7.5. Fuse on on Apache Karaf

Fuse on Apache Karaf has the following known issues:

ENTESB-8190 Two artifacts from indy are missing from mrrc, making a couple of features unable to install

In the Fuse 7.0 GA release, the following features cannot be installed in the Apache Karaf container: 

camel-elasticsearch-rest
camel-hystrix
camel-jcifs
camel-olingo2
camel-olingo4
camel-rx
cxf-http-async
camel-spring-redis
connector

These features will be made available in a patch release for Fuse 7.0.

ENTESB-8067 Unable to install connector
In the Fuse 7.0 GA release, feature:install connector returns an error.
ENTESB-8068 Unable to install camel-spring-redis
In the Fuse 7.0 GA release, feature:install camel-spring-redis returns an error.
ENTESB-8085 rxjava-1.3.5.redhat-001 is not an osgi bundle, but rxjava-1.3.5 is
In the Fuse 7.0 GA release, the camel-hystrix and camel-rx features cannot be installed.
ENTESB-8140 Start level of hot deploy bundles is 80 by default

In the Fuse 7.0 GA release, in the Apache Karaf container the start level of hot deployed bundles is 80 by default. This can cause problems for the hot deployed bundles, because there are many system bundles and features that have the same start level. To work around this problem and ensure that hot deployed bundles start reliably, edit the etc/org.apache.felix.fileinstall-deploy.cfg file and change the felix.fileinstall.start.level setting as follows: 

felix.fileinstall.start.level = 90
ENTESB-8078 Fuse 7 can’t be started on HP-UX

In the Fuse 7.0 GA release, the Apache Karaf container fails to start on the HP-UX platform, reporting the error karaf: JVM must be greater than 1.8. To work around this error, edit the bin/inc script in your Apache Karaf installation. Replace the following line: 

VERSION=$("${JAVA}" -version 2>&1 | grep -i version | sed 's/.*version ".*\.\(.*\)\..*"/\1/; 1q')

With this line: 

VERSION=$("${JAVA}" -version 2>&1 | grep -i version | sed 's/.*version "[^\._]*\.\([^\._]*\)\..*"/\1/; 1q')
ENTESB-8078 Fuse 7 can’t be started on HP-UX
In the Fuse 7.0 GA release, the Karaf container cannot be started on the HP-UX platform.
ENTESB-7664 Installing framework-security feature kills karaf

The framework-security OSGi feature must be installed using the --no-auto-refresh option, otherwise this feature will shut down the Apache Karaf container. For example: 

feature:install -v --no-auto-refresh framework-security
ENTESB-5447 Cannot add openjpa, camel-hbase, or camel-hdfs features to featuresBoot
If you add any of the features, openjpa, camel-hbase, or camel-hdfs, to featuresBoot in the etc/org.apache.karaf.features.cfg file, this will result in an OSGi wiring error. All of these features are deprecated in any case.
ENTESB-4390 Some quickstarts using SAAJ API fail on IBM JAVA

When using the Apache Karaf container with IBM Java version 1.7.0, the following quickstarts can fail:

  • bean-service

  • soap-attachment

    With the following error: 

    java.lang.IllegalAccessError: Class com/sun/org/apache/xerces/internal/dom/ElementImpl illegally accessing "package private" member of class com/sun/org/apache/xerces/internal/dom/CoreDocumentImpl
    at com.sun.org.apache.xerces.internal.dom.ElementImpl.synchronizeData(ElementImpl.java:1159)
    ...

    This appears to be a problem with the IBM JDK. You can work around the problem as follows:

    1. Remove saaj-api from endorsed libraries: 

      rm lib/endorsed/org.apache.servicemix.specs.saaj-api-1.3-2.5.0.jar

    2. Before invoking the ./bin/fuse script:, set the JAVA_OPTS environment variable as follows: 

      JAVA_OPTS=-Xshareclasses:none
ENTESB-2929 can’t install features camel-avro camel-hbase camel-hdfs2

camel-avro, camel-hbase, camel-hdfs2 are not supported on Solaris / AIX. The camel-hdfs2 feature can only run if you have libsnappyjava.dylib in java.library.path. You must manually set up libsnappyjava.dylib in Fuse before installing these features. 

JBossFuse:karaf@root> features:info camel-hdfs2
		Description of camel-hdfs2 2.15.0.redhat-620133 feature
ENTESB-2773 [platform AIX HPUX] camel-leveldb missing native library
The camel-leveldb feature is not supported on IBM AIX and HP-UX operating systems. To use the camel-leveldb feature, Red Hat JBoss Fuse must be run on Red Hat Enterprise Linux, Microsoft Windows Server or Oracle Solaris.
ENTESB-3938 Fuse 6.2.1 takes a long time to start up on OpenStack

When a Fuse container is deployed on RHEL OpenStack Platform, it can take a long time (several minutes) for the container to start up. A workaround is to add the following option to the JVM that starts the container (for example, by setting the JAVA_OPTS environment variable): 

-Djava.security.egd=file:/dev/./urandom

The extra dot in the pathname, as in /./, is required.

Note

The effect of the workaround is to replace the default /dev/random by /dev/urandom. The alternative is faster, but less random than /dev/random. This has an impact on any security packages that depend on this device to generate entropy and random numbers.

7.6. Apache Camel

Apache Camel has the following known issues:

ENTESB-8116 camel-weather does not work on CR2
In the Fuse 7.0 GA release, the Camel Weather component does not work.
ENTESB-8088 camel-linkedin: java.lang.SecurityException: Invalid CSRF code
In the Fuse 7.0 GA release, the Camel LinkedIn component does not work. The camel-linkedin quickstart is also not working.
ENTESB-7839 \[camel-weather\] FreeGeoIpGeoLocationProvider does not work as expected
The camel-weather component fails to connect to the weather service.
ENTESB-7469 Camel Docker component cannot use Unix socket connections on EAP
In Fuse 7.0, the camel-docker component can connect to Docker only through its REST API, not through UNIX sockets.
ENTESB-5231 PHP script language does not work
The PHP scripting language is not supported in Camel applications on the Apache Karaf container, because there is no OSGi bundle available for PHP.
ENTESB-5232 Python language does not work
The Python scripting language is not supported in Camel applications on the Apache Karaf container, because there is no OSGi bundle available for Python.
ENTESB-2443 Google Mail API - Sending of messages and drafts is not synchronous
When you send a message or draft, the response contains a Message object with an ID. It may not be possible to immediately get this message via another call to the API. You may have to wait and retry the call.
ENTESB-2458 Google Mail Component - Import of message throws sometimes SocketTimeoutException
Importing a message may throw a java.net.SocketTimeoutException if the send operation was called before. Workaround: After a send call wait for few moments before calling import.
ENTESB-2365 Google Drive API bug - Response of permission insert operation mostly does not contain emailAddress property
Response of permission insert operation sometimes does not return emailAddress property even if the value of request property type was set to user. Nevertheless the permission is successfully inserted.
ENTESB-2332 Google Drive API JSON response for changes returns bad count of items for the first page
Google Drive API JSON reponse for changes returns bad count of items for the first page. Setting maxResults for a list operation may not return all the results in the first page. You may have to go through several pages to get the complete list (that is by setting pageToken on new requests).
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.