Chapter 7. Known Issues
The following subsections describe the known issues in version 7.4.
7.1. CVE Security Vulnerabilities
As a middleware integration platform, Fuse can potentially be integrated with a large number of third-party components. It is not always possible to exclude the possibility that some third-party dependencies of Fuse could have security vulnerabilities. This section documents known security vulnerabilities affecting third-party dependencies of Fuse 7.4.
- ENTESB-12489 CVE-2019-9827 - Fuse Console standalone on Amazon Web Services
-
Due to security concerns, you should not deploy a standalone Fuse application to Amazon Web Services (AWS). This restriction applies to all supported standalone environments (Spring Boot 1.x and 2.x, Karaf, and Red Hat JBoss Enterprise Application Platform). If you want to deploy the Fuse Console standalone on AWS, it is highly recommended that you upgrade to Fuse 7.7 or later and disable the Fuse Console’s proxy servlet by setting the
hawtio.disableProxy
system property totrue
. - CVE-2017-12629 Solr/Lucene -security bypass to access sensitive data - CVE-2017-12629
Apache Solr is a popular open source search platform that uses the Apache Lucene search engine. If your application uses a combination of Apache Solr with Apache Lucene (for example, when using the Camel Solr component), it could be affected by this security vulnerability. Please consult the linked security advisory for more details of this vulnerability and the mitigation steps to take.
NoteThe Fuse runtime does not use Apache Solr or Apache Lucene directly. The security risk only arises, if you are using Apache Solr and Apache Lucene together in the context of an integration application (for example, when using the Camel Solr component).
- Multiple CVEs Multiple CVEs related to jackson-databind security vulnerability
Applications that that use the FasterXML
jackson-databind
library to instantiate Java objects by deserializing JSON content are potentially vulnerable to a remote code execution attack. The vulnerability is not automatic, however, and it can be avoided if you take the appropriate mitigation steps.At a minimum, the following prerequisites must all be satisfied before an attack becomes possible:
You have enabled polymorphic type handling for deserialization of JSON content in
jackson-databind
. There are two alternative ways of enabling polymorphic type handling in Jackson JSON:-
Using a combination of the
@JsonTypeInfo
and@JsonSubTypes
annotations. -
By calling the
ObjectMapper.enableDefaultTyping()
method. This option is particularly dangerous, as it effectively enables polymorphic typing globally.
-
Using a combination of the
There are one or more gadget classes in your Java classpath, which have not yet been blacklisted by the current version of
jackson-databind
. A gadget class is defined as any class that performs a sensitive (potentially exploitable) operation as a side effect of executing a constructor or a setter method (which are the methods that can be called during a deserialization). The gadget blacklist maintained by the Jackson JSON library is the last line of defence against the remote code execution vulnerability.It is the existence of a large number of gadget classes which explains why there are many individual CVEs related to the
jackson-databind
vulnerability. There are different CVEs related to different kinds of gadget class.ImportantFuse will be upgraded to use the latest version of
jackson-databind
at the earliest opportunity. However, Fuse 7.4.0 is currently not aligned with the latest version ofjackson-databind
.
If you do need to use the
jackson-databind
library in your application, the most important measure you can take to mitigate the risk is this: avoid polymorphic type handling in Jackson JSON and on no account should you call theObjectMapper.enableDefaultTyping()
method.
7.2. Fuse Online
The Fuse Online distribution has the following known issues:
- 6052 [1.7.8] No activities after small load (~80000 messages in 20hours)
Performance testing has shown that the activity tracking logic can result in an exceptionally high number of dead tuples in the database used by Fuse Online to track activities. This issue causes a general slowdown in any operation that requires reads from the database, most notably accessing the list of integrations from the UI or refreshing the activities of an integration. The workaround for this issue is to perform periodic maintenance of the database by issuing the SQL statement
VACUUM FULL ANALYSE jsondb
.Here are the steps to perform this task:
# check to see if there are dead tuples (not vacuumed) $ oc exec -c postgresql $(oc get pod -l 'syndesis.io/component=syndesis-db' --no-headers=true -o=custom-columns=x:.metadata.name) -- bash -c "echo SELECT schemaname, relname, n_live_tup, n_dead_tup, last_autovacuum FROM pg_stat_all_tables WHERE relname = \'jsondb\'|psql -U syndesis" schemaname | relname | n_live_tup | n_dead_tup | last_autovacuum ------------+---------+------------+------------+------------------------------- public | jsondb | 26893 | 491210 | 2019-07-17 09:26:51.264029+00 (1 row) # since there are 491210 dead tuples, perform the following # scale down the server $ oc scale --replicas=0 dc syndesis-server # terminate all running connections $ oc exec -c postgresql $(oc get pod -l 'syndesis.io/component=syndesis-db' --no-headers=true -o=custom-columns=x:.metadata.name) -- bash -c "echo SELECT pg_terminate_backend\(a.pid\) FROM pg_locks l join pg_stat_activity a ON a.pid = l.pid WHERE l.mode = \'ExclusiveLock\' AND a.usename = \'syndesis\'|psql -U syndesis" FATAL: terminating connection due to administrator command server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request. connection to server was lost command terminated with exit code 2 # the preceding FATAL error is expected, because the statement also closes the connection psql is using # execute `VACUUM FULL ANALYSE` $ oc exec -c postgresql $(oc get pod -l 'syndesis.io/component=syndesis-db' --no-headers=true -o=custom-columns=x:.metadata.name) -- bash -c "echo VACUUM FULL ANALYSE jsondb|psql -U syndesis" VACUUM # scale up server $ oc scale --replicas=1 dc syndesis-server
- 5458 Operator tries to update outdated Syndesis resource
When installing Fuse Online using the operator, the following error occurs multiple times, but it can be ignored as it has no significant effect on the installation:
{"level":"error","ts":1558617960.2453232,"logger":"controller","msg":"Error reconciling","action":"*action.startupAction","phase":"Starting","error":"Operation cannot be fulfilled on syndesises.syndesis.io \"app\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/syndesisio/syndesis/install/operator/vendor/github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/src/github.com/syndesisio/syndesis/install/operator/vendor/github.com/go-logr/zapr/zapr.go:128\ngithub.com/syndesisio/syndesis/install/operator/pkg/controller/syndesis.(*ReconcileSyndesis).Reconcile\n\t/go/src/github.com/syndesisio/syndesis/install/operator/pkg/controller/syndesis/syndesis_controller.go:120\ngithub.com/syndesisio/syndesis/install/operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/syndesisio/syndesis/install/operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:215\ngithub.com/syndesisio/syndesis/install/operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1\n\t/go/src/github.com/syndesisio/syndesis/install/operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:158\ngithub.com/syndesisio/syndesis/install/operator/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1\n\t/go/src/github.com/syndesisio/syndesis/install/operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133\ngithub.com/syndesisio/syndesis/install/operator/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/src/github.com/syndesisio/syndesis/install/operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:134\ngithub.com/syndesisio/syndesis/install/operator/vendor/k8s.io/apimachinery/pkg/util/wait.Until\n\t/go/src/github.com/syndesisio/syndesis/install/operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88"}
- ENTESB-10577 Apicurito does not support YAML Open API spec files
- In Fuse 7.4 on OpenShift, Apicurito generates OpenAPI specification files in YAML format by default, but is not capable of re-importing the generated YAML file. Only JSON format can be imported into Apicurito at the moment.
- 667 'null' when using "ItemAt" transformation from List<>
Number -
When mapping from a
List
to aDouble
type field using theItemAt
transformation, an exception gets thrown by the data mapper. - 1558 "Save as draft" and "Publish" buttons
- Both the Save as draft button and the Publish button remain active, even after a user has clicked on one of the buttons and started stepping through the procedure.
- 698 DB Connector: SQL parser doesn’t recognize parameters for LIKE
-
In SQL statements containing the
LIKE
keyword (for example,DELETE FROM TODO WHERE task LIKE ‘:#param’
), theLIKE
keyword cannot be used with datamapper parameters, such as:#param
.
7.3. Fuse on OpenShift
This section lists issues that affect the deployment of Fuse applications on OpenShift. For details of issues affecting specific containers, see also the sections for Spring Boot, Fuse on Apache Karaf, and Fuse on JBoss EAP. The Fuse on OpenShift distribution has the following known issues:
- ENTESB-10817 Openshift 4.1 + FMP: Unexpected response (403 Forbidden), to the authorization request. Missing header:[Location]!
On OpenShift Container Platform (OCP) 4.1, if the
fabric8-maven-plugin
uses Fabric8’s Kubernetes client implementation to authenticate itself to OpenShift — instead of relying on an existing session created by theoc login
command — you get the following error:[ERROR] Failed to execute goal org.jboss.redhat-fuse:fabric8-maven-plugin:7.4.0.fuse-740024:build (default) on project fabric8-maven-sample-zero-config: Failed to execute the build: Unable to build the image using the OpenShift build service: Unexpected response (403 Forbidden), to the authorization request. Missing header:[Location]!
In particular, the procedure for building and deploying the Fuse on OpenShift quickstart example in the Tooling User Guide relies on the
fabric8-maven-plugin
authenticating itself directly to OpenShift. When following the instructions in the section, Deploying the Fuse Integration project to OpenShift, to deploy the project to an OCP 4.1 cluster, modify step 5 as follows:- Log into the OpenShift console for the OCP 4.1 cluster where you want to deploy your application.
-
Click on the username in the upper right corner of the OpenShift console and select the menu option, Copy Login Command. This copies a string of the form
oc login https://192.168.42.218:8443 --token=xxxxxxxx
into the clipboard, wherexxxxxxxx
is a base-64 encoded string representing the session token. -
Remove the
-Dkubernetes.auth.basic.password=admin
setting from the VM arguments pane and replace it with the setting,-Dkubernetes.auth.token=xxxxxxxx
, wherexxxxxxxx
is the session token extracted from the clipboard string.
NoteThe examples and tutorials in the Fuse on OpenShift Guide generally rely on a session created by the
oc login
command. So if you are following the steps for one of those examples, you will not encounter this error.- ENTESB-10694 Problem using Fuse Console on OCP4.1 beta
On OpenShift 4, if you want to manage Fuse services with the Fuse Console, you must install the community version (Hawtio) by using the community operator from OperatorHub. You access the OperatorHub from the OpenShift web console’s main catalog.
NoteA Kubernetes Operator is a script that simplifies the installation and management of an OpenShift (or Kubernetes) application.
To keep the connection between the Fuse Console proxy and the Jolokia agent secure, after you install the community version of the Fuse Console and before you deploy it, you must generate, sign and deploy a client certificate. See this README file for instructions on how to secure the Fuse Console on OpenShift 4.
- ENTESB-10577 Apicurito does not support YAML Open API spec files
- In Fuse 7.4 on OpenShift, Apicurito generates OpenAPI specification files in YAML format by default, but is not capable of re-importing the generated YAML file. Only JSON format can be imported into Apicurito at the moment.
7.4. Fuse on Spring Boot
Fuse on Spring Boot has the following known issues:
- ENTESB-11164 Missing qpid-jms-client in SB2 BOM
In the Fuse 7.4.0 release, the Spring Boot 2 Bill of Materials (BOM) file references the incorrect version of the
org.apache.qpid:qpid-jms-client
Maven artifact for the Qpid JMS client. To use the correct (Red Hat supported) version oforg.apache.qpid:qpid-jms-client
in your Maven project, add the following dependencies to your project’s POM file:<dependency> <groupId>org.apache.camel</groupId> <artifactId>camel-amqp</artifactId> <exclusions> <exclusion> <groupId>org.apache.qpid</groupId> <artifactId>qpid-jms-client</artifactId> </exclusion> <exclusion> <groupId>org.apache.qpid</groupId> <artifactId>proton-j</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.apache.qpid</groupId> <artifactId>qpid-jms-client</artifactId> <version>0.40.0.redhat-00001</version> </dependency> <dependency> <groupId>org.apache.qpid</groupId> <artifactId>proton-j</artifactId> <version>0.31.0.redhat-00001</version> </dependency>
- ENTESB-11163 Incorrect version of AMQ client in SB2 BOM in Fuse 7.4.0.CR4
-
In the Fuse 7.4.0 release, the Spring Boot 2 BOM file references the incorrect version of the
org.apache.activemq:activemq-client
Maven artifact. - Spring Boot 2 BOM references unsupported Camel jBPM component
- In the Fuse 7.4.0 release, the Spring Boot 2 BOM (Bill of Materials) references the Camel jBPM component, which is currently unsupported in Fuse.
7.5. Fuse on Apache Karaf
Fuse on Apache Karaf has the following known issues:
- ENTESB-8140 Start level of hot deploy bundles is 80 by default
In the Fuse 7.0 GA release, in the Apache Karaf container the start level of hot deployed bundles is 80 by default. This can cause problems for the hot deployed bundles, because there are many system bundles and features that have the same start level. To work around this problem and ensure that hot deployed bundles start reliably, edit the
etc/org.apache.felix.fileinstall-deploy.cfg
file and change thefelix.fileinstall.start.level
setting as follows:felix.fileinstall.start.level = 90
- ENTESB-7664 Installing framework-security feature kills karaf
The
framework-security
OSGi feature must be installed using the--no-auto-refresh
option, otherwise this feature will shut down the Apache Karaf container. For example:feature:install -v --no-auto-refresh framework-security
7.6. Apache Camel
Apache Camel has the following known issues:
- ENTESB-11060 [camel-linkedin] V1 API is no longer supported
- In Fuse 7.4.0, the Camel LinkedIn component is no longer able to communicate with the LinkedIn server, because it is implemented using the LinkedIn Version 1.0 API, which is no longer supported by LinkedIn. The Camel LinkedIn component will be updated to use the Version 2 API in a future release of Fuse.
- ENTESB-7469 Camel Docker component cannot use Unix socket connections on EAP
-
Since Fuse 7.0, the
camel-docker
component can connect to Docker only through its REST API, not through UNIX sockets. - ENTESB-5231 PHP script language does not work
- The PHP scripting language is not supported in Camel applications on the Apache Karaf container, because there is no OSGi bundle available for PHP.
- ENTESB-5232 Python language does not work
- The Python scripting language is not supported in Camel applications on the Apache Karaf container, because there is no OSGi bundle available for Python.
- ENTESB-2443 Google Mail API - Sending of messages and drafts is not synchronous
- When you send a message or draft, the response contains a Message object with an ID. It may not be possible to immediately get this message via another call to the API. You may have to wait and retry the call.
- ENTESB-2332 Google Drive API JSON response for changes returns bad count of items for the first page
- Google Drive API JSON reponse for changes returns bad count of items for the first page. Setting maxResults for a list operation may not return all the results in the first page. You may have to go through several pages to get the complete list (that is by setting pageToken on new requests).