Search

Chapter 7. Known Issues

download PDF

The following subsections describe the known issues in version 7.1.

7.1. CVE Security Vulnerabilities

As a middleware integration platform, Fuse can potentially be integrated with a large number of third-party components. It is not always possible to exclude the possibility that some third-party dependencies of Fuse could have security vulnerabilities. This section documents known security vulnerabilities affecting third-party dependencies of Fuse 7.1.

ENTESB-12489 CVE-2019-9827 - Fuse Console standalone on Amazon Web Services
Due to security concerns, you should not deploy a standalone Fuse application to Amazon Web Services (AWS). This restriction applies to all supported standalone environments (Spring Boot 1.x and 2.x, Karaf, and Red Hat JBoss Enterprise Application Platform). If you want to deploy the Fuse Console standalone on AWS, it is highly recommended that you upgrade to Fuse 7.7 or later and disable the Fuse Console’s proxy servlet by setting the hawtio.disableProxy system property to true.
CVE-2017-12629 Solr/Lucene -security bypass to access sensitive data - CVE-2017-12629

Apache Solr is a popular open source search platform that uses the Apache Lucene search engine. If your application uses a combination of Apache Solr with Apache Lucene (for example, when using the Camel Solr component), it could be affected by this security vulnerability. Please consult the linked security advisory for more details of this vulnerability and the mitigation steps to take.

Note

The Fuse runtime does not use Apache Solr or Apache Lucene directly. The security risk only arises, if you are using Apache Solr and Apache Lucene together in the context of an integration application (for example, when using the Camel Solr component).

Multiple CVEs Multiple CVEs related to jackson-databind security vulnerability

Applications that that use the FasterXML jackson-databind library to instantiate Java objects by deserializing JSON content are potentially vulnerable to a remote code execution attack. The vulnerability is not automatic, however, and it can be avoided if you take the appropriate mitigation steps.

At a minimum, the following prerequisites must all be satisfied before an attack becomes possible:

  1. You have enabled polymorphic type handling for deserialization of JSON content in jackson-databind. There are two alternative ways of enabling polymorphic type handling in Jackson JSON:

    1. Using a combination of the @JsonTypeInfo and @JsonSubTypes annotations.
    2. By calling the ObjectMapper.enableDefaultTyping() method. This option is particularly dangerous, as it effectively enables polymorphic typing globally.
  2. There are one or more gadget classes in your Java classpath, which have not yet been blacklisted by the current version of jackson-databind. A gadget class is defined as any class that performs a sensitive (potentially exploitable) operation as a side effect of executing a constructor or a setter method (which are the methods that can be called during a deserialization). The gadget blacklist maintained by the Jackson JSON library is the last line of defence against the remote code execution vulnerability.

It is the existence of a large number of gadget classes which explains why there are many individual CVEs related to the jackson-databind vulnerability. There are different CVEs related to different kinds of gadget class.

If you do need to use the jackson-databind library in your application, the most important measure you can take to mitigate the risk is this: avoid polymorphic type handling in Jackson JSON and on no account should you call the ObjectMapper.enableDefaultTyping() method.

7.2. Fuse Online

The Fuse Online distribution has the following known issues:

1558 "Save as draft" and "Publish" buttons
Both the Save as draft button and the Publish button remain active, even after a user has clicked on one of the buttons and started stepping through the procedure.
2163 Integration Editor: Save as Draft should display notification on success
After pressing the Save as Draft button, there is no success notification when the draft is saved successfully (in the event of an error, on the other hand, there is an error notification).
698 DB Connector: SQL parser doesn’t recognize parameters for LIKE
In SQL statements containing the LIKE keyword (for example, DELETE FROM TODO WHERE task LIKE ‘:#param’), the LIKE keyword cannot be used with datamapper parameters, such as :#param.

7.3. Fuse on OpenShift

This section lists issues that affect the deployment of Fuse applications on OpenShift. For details of issues affecting specific containers, see also the sections for Spring Boot, Fuse on Apache Karaf, and Fuse on JBoss EAP. The Fuse on OpenShift distribution has the following known issues:

Bug 1614493 [3.10] Binary builds with 'large' input hangs and never completes
When attempting to build and deploy Fuse applications on some early micro versions of OpenShift Container Platform (OCP) 3.10, it is possible that the build will hang with this error. If you encounter this problem, we recommend that you upgrade to OCP 3.10.34 (or later), where this problem is fixed.
ENTESB-9514 CDK (minishift) + quickstart with binary build doesn’t work
Red Hat Container Development Kit (CDK) 3.5 uses a version of OpenShift that has some incompatibilities with Fuse 7.1 on OpenShift (in particular, build and deployment of Fuse on OpenShift quickstarts does not work). We recommend that you use CDK 3.6 instead.

7.4. Fuse on on Apache Karaf

Fuse on Apache Karaf has the following known issues:

ENTESB-8085 rxjava-1.3.5.redhat-001 is not an osgi bundle, but rxjava-1.3.5 is
In the Fuse 7.0 GA release, the camel-hystrix and camel-rx features cannot be installed.
ENTESB-8140 Start level of hot deploy bundles is 80 by default

In the Fuse 7.0 GA release, in the Apache Karaf container the start level of hot deployed bundles is 80 by default. This can cause problems for the hot deployed bundles, because there are many system bundles and features that have the same start level. To work around this problem and ensure that hot deployed bundles start reliably, edit the etc/org.apache.felix.fileinstall-deploy.cfg file and change the felix.fileinstall.start.level setting as follows:

felix.fileinstall.start.level = 90
ENTESB-7664 Installing framework-security feature kills karaf

The framework-security OSGi feature must be installed using the --no-auto-refresh option, otherwise this feature will shut down the Apache Karaf container. For example:

feature:install -v --no-auto-refresh framework-security

7.5. Fuse on on JBoss EAP

Fuse on JBoss EAP has the following known issues:

ENTESB-9533 Fuse 7.1 on EAP doesn’t contain productized quickstarts

The Fuse 7.1 on JBoss EAP quickstarts cannot be built, because they are configured with an incorrect version of the Maven BOM (which is not available from the Red Hat Maven repository). To work around this problem, build the quickstarts with the additional Maven option, -Dversion.fuse=7.1.0.fuse-710019-redhat-00002. For example:

mvn clean install -Dversion.fuse=7.1.0.fuse-710019-redhat-00002

7.6. Apache Camel

Apache Camel has the following known issues:

ENTESB-9452 Salesforce on-create,on-update not triggered

A regression was introduced in the Salesforce Camel component, whereby a Salesforce consumer processes exchanges synchronously instead of asynchronously. So if a single Camel route uses the same Salesforce component instance in a consumer endpoint and a producer endpoint, it ends up deadlocked on the HTTP connection in the producer endpoint.

For example, the route below (whether it uses enrich or to for the producer endpoint) will deadlock in the getSObject endpoint:

from("salesforce:syn_Lead_c?sObjectClass=io.syndesis.example.Application$Id&sObjectQuery=SELECT+Id+FROM+Lead")
  .enrich("salesforce:getSObject?rawPayload=true&sObjectName=Lead")
  .convertBodyTo(String.class)
  .to("log:sf?showAll=true&multiline=true");

One workaround is to use a wireTap endpoint like this:

from("salesforce:syn_Lead_c?sObjectClass=io.syndesis.example.Application$Id&sObjectQuery=SELECT+Id+FROM+Lead")
  .wireTap("salesforce:getSObject?rawPayload=true&sObjectName=Lead")
  .convertBodyTo(String.class)
  .to("log:sf?showAll=true&multiline=true");

Another workaround is to break up the Camel route using SEDA endpoints like this:

from("salesforce:syn_Lead_c?sObjectClass=io.syndesis.example.Application$Id&sObjectQuery=SELECT+Id+FROM+Lead")
  .to("seda:sfenrich");

from("seda:sfenrich")
  .enrich("salesforce:getSObject?rawPayload=true&sObjectName=Lead")
  .convertBodyTo(String.class)
  .to("log:sf?showAll=true&multiline=true");

This issue will be fixed in the next Fuse release.

ENTESB-8088 camel-linkedin: java.lang.SecurityException: Invalid CSRF code
In the Fuse 7.0 GA release, the Camel LinkedIn component does not work. The camel-linkedin quickstart is also not working.
ENTESB-7469 Camel Docker component cannot use Unix socket connections on EAP
In Fuse 7.0, the camel-docker component can connect to Docker only through its REST API, not through UNIX sockets.
ENTESB-5231 PHP script language does not work
The PHP scripting language is not supported in Camel applications on the Apache Karaf container, because there is no OSGi bundle available for PHP.
ENTESB-5232 Python language does not work
The Python scripting language is not supported in Camel applications on the Apache Karaf container, because there is no OSGi bundle available for Python.
ENTESB-2443 Google Mail API - Sending of messages and drafts is not synchronous
When you send a message or draft, the response contains a Message object with an ID. It may not be possible to immediately get this message via another call to the API. You may have to wait and retry the call.
ENTESB-2458 Google Mail Component - Import of message throws sometimes SocketTimeoutException
Importing a message may throw a java.net.SocketTimeoutException if the send operation was called before. Workaround: After a send call wait for few moments before calling import.
ENTESB-2365 Google Drive API bug - Response of permission insert operation mostly does not contain emailAddress property
Response of permission insert operation sometimes does not return emailAddress property even if the value of request property type was set to user. Nevertheless the permission is successfully inserted.
ENTESB-2332 Google Drive API JSON response for changes returns bad count of items for the first page
Google Drive API JSON reponse for changes returns bad count of items for the first page. Setting maxResults for a list operation may not return all the results in the first page. You may have to go through several pages to get the complete list (that is by setting pageToken on new requests).
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.