Chapter 7. Known Issues
The following subsections describe the known issues in version 7.6.
7.1. CVE Security Vulnerabilities
As a middleware integration platform, Fuse can potentially be integrated with a large number of third-party components. It is not always possible to exclude the possibility that some third-party dependencies of Fuse could have security vulnerabilities. This section documents known security vulnerabilities affecting third-party dependencies of Fuse 7.6.
- ENTESB-12489 CVE-2019-9827 - Fuse Console standalone on Amazon Web Services
-
Due to security concerns, you should not deploy a standalone Fuse application to Amazon Web Services (AWS). This restriction applies to all supported standalone environments (Spring Boot 1.x and 2.x, Karaf, and Red Hat JBoss Enterprise Application Platform). If you want to deploy the Fuse Console standalone on AWS, it is highly recommended that you upgrade to Fuse 7.7 or later and disable the Fuse Console’s proxy servlet by setting the
hawtio.disableProxy
system property totrue
. - CVE-2017-12629 Solr/Lucene -security bypass to access sensitive data - CVE-2017-12629
Apache Solr is a popular open source search platform that uses the Apache Lucene search engine. If your application uses a combination of Apache Solr with Apache Lucene (for example, when using the Camel Solr component), it could be affected by this security vulnerability. Please consult the linked security advisory for more details of this vulnerability and the mitigation steps to take.
NoteThe Fuse runtime does not use Apache Solr or Apache Lucene directly. The security risk only arises, if you are using Apache Solr and Apache Lucene together in the context of an integration application (for example, when using the Camel Solr component).
- Multiple CVEs Multiple CVEs related to jackson-databind security vulnerability
Applications that that use the FasterXML
jackson-databind
library to instantiate Java objects by deserializing JSON content are potentially vulnerable to a remote code execution attack. The vulnerability is not automatic, however, and it can be avoided if you take the appropriate mitigation steps.At a minimum, the following prerequisites must all be satisfied before an attack becomes possible:
You have enabled polymorphic type handling for deserialization of JSON content in
jackson-databind
. There are two alternative ways of enabling polymorphic type handling in Jackson JSON:-
Using a combination of the
@JsonTypeInfo
and@JsonSubTypes
annotations. -
By calling the
ObjectMapper.enableDefaultTyping()
method. This option is particularly dangerous, as it effectively enables polymorphic typing globally.
-
Using a combination of the
There are one or more gadget classes in your Java classpath, which have not yet been blacklisted by the current version of
jackson-databind
. A gadget class is defined as any class that performs a sensitive (potentially exploitable) operation as a side effect of executing a constructor or a setter method (which are the methods that can be called during a deserialization). The gadget blacklist maintained by the Jackson JSON library is the last line of defence against the remote code execution vulnerability.It is the existence of a large number of gadget classes which explains why there are many individual CVEs related to the
jackson-databind
vulnerability. There are different CVEs related to different kinds of gadget class.
If you do need to use the
jackson-databind
library in your application, the most important measure you can take to mitigate the risk is this: avoid polymorphic type handling in Jackson JSON and on no account should you call theObjectMapper.enableDefaultTyping()
method.
- ENTESB-12539 CVE-2019-10086 commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default [fuse-7.4.0]
The Camel Dozer,
camel-dozer
, component and the Camel Shiro,camel-shiro
, component depend on a version of thecommons-beanutils
library that has a CVE security vulnerability. Your application could potentially be affected by this security vulnerability, if you deploy the Camel Dozer or Camel Shiro component in one of the following containers:- Spring Boot 1 container
- Spring Boot 2 container
- JBoss EAP container
For the Spring Boot 1 and Spring Boot 2 container types, you can work around this security vulnerability by customizing the dependencies in your project’s Maven POM file.
For the JBoss EAP container type, no workaround is available at this time and we therefore recommend that you do not use the Camel Dozer or Camel Shiro components with Fuse on EAP. After Fuse 7.6.0 is released, a patch will be made available to fix the
common-beanutils
dependency in Fuse on EAP. Contact Red Hat Support for details of the patch.To work around the dependency issue on Spring Boot 1 and Spring Boot 2, modify the Maven POM file for the application, as follows. For example, given a dependency on the
camel-dozer-starter
artifact, like this:<dependency> <groupId>org.apache.camel</groupId> <artifactId>camel-dozer-starter</artifactId> </dependency>
Modify the preceding dependency, replacing it with the following lines:
<dependency> <groupId>org.apache.camel</groupId> <artifactId>camel-dozer-starter</artifactId> <exclusions> <exclusion> <groupId>commons-beanutils</groupId> <artifactId>commons-beanutils</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>commons-beanutils</groupId> <artifactId>commons-beanutils</artifactId> <version>1.9.4.redhat-00002</version> </dependency>
NoteThe Apache Karaf container is not affected by this issue, because it already uses a secure version of the
commons-beanutils
library by default, and Fuse Online is not affected, because it does not use the Camel Dozer or the Camel Shiro component.
7.2. Fuse Online
The Fuse Online distribution has the following known issues:
- ENTESB-13276 OperatorHub overview doesn’t contain information about all addons
- In Fuse 7.6, the OperatorHub overview does not describe all of the add-ons available for the Fuse Online operator. For full details about the available add-ons, see Descriptions of custom resource attributes that configure Fuse Online.
- ENTESB-13272 Jaeger is disabled by default on OperatorHub
- In Fuse 7.6, if you install Fuse Online from OperatorHub, enhanced activity tracking (which depends on Jaeger) is disabled and cannot be re-enabled after installation, because of the related issue, ENTESB-13275. To work around this issue, install Fuse Online using the command-line script, as described in Installing Fuse Online on OCP.
- ENTESB-13275 Missing Jaeger resources after OperatorHub installation
- In Fuse 7.6, it is not possible to enable enhanced activity tracking (which depends on Jaeger) after installing Fuse Online from OperatorHub. To work around this issue, install Fuse Online using the command-line script, as described in Installing Fuse Online on OCP.
- ENTESB-12072 Missing part of first activity records on OCP 4.2. in case the activity contains error
- In Fuse 7.6, if you install Fuse Online from OperatorHub (which causes Fuse Online to revert to an older implementation of activity tracking), there can be missing log records in first activity logged by an integration running on Fuse Online. To work around this issue, install Fuse Online using the command-line script, as described in Installing Fuse Online on OCP.
- ENTESB-11407 [1.7.8] No activities after small load (~80000 messages in 20hours)
- In Fuse 7.6, if you install Fuse Online from OperatorHub (which causes Fuse Online to revert to an older implementation of activity tracking), the activity tracking logic can result in an exceptionally high number of dead tuples in the database used by Fuse Online to track activities. This issue causes a general slowdown in any operation that requires reads from the database, most notably accessing the list of integrations from the UI or refreshing the activities of an integration. To work around this issue, install Fuse Online using the command-line script, as described in Installing Fuse Online on OCP.
- ENTESB-12854 Fuse online scripts break with space in path
-
In Fuse 7.6, the
install_ocp.sh
script does not work with filesystem paths that have spaces in them. Ensure that the Fuse Online install directory does not have any spaces in its path. - ENTESB-12923 Sometimes some of the pods do not come up after upgrade
- In Fuse 7.6, after upgrading, it can happen that some of the Kubernetes pods are not restarted automatically. If this happens, restart the pods manually instead.
- ENTESB-13074 Upgrade db fails with sampledb integration active
- In Fuse 7.6, the upgrade procedure fails, if an integration using the sampleDB is currently active. To work around this problem, stop the integration before performing the upgrade procedure.
- ENTESB-13110 Postgres version check runs on each reconcile even without upgrade
In Fuse 7.6, the Postgres version check is performed during a fresh install, although it is only required during an upgrade. This causes spurious error messages in the log, like the following, which can be safely ignored:
{"level":"error","ts":1583164580.847065,"logger":"configuration","msg":"Unable to determine current version of PostgreSQL running in syndesis-db pod","error":"dial tcp: lookup syndesis-db on 10.0.145.81:53: no such host"
- ENTESB-12175 Camel-k integrations stay deployed even when deleted in UI
-
In Fuse 7.5, if Camel K is enabled and you delete an integration in the UI, the Camel K integration continues to run, but isn’t displayed in Fuse Online. To work around this issue, first stop the integration in the UI and then delete it with the
kamel delete
command. - ENTESB-12174 API Provider running on camel-k has empty parameters
- In Fuse 7.5, if Camel K is enabled and you create an API Provider action that uses query parameters, the parameters are empty.
- ENTESB-12181 Operator tries to update outdated Syndesis resource
When installing Fuse Online using the operator, the following error occurs multiple times, but it can be ignored as it has no significant effect on the installation:
{"level":"error","ts":1558617960.2453232,"logger":"controller","msg":"Error reconciling","action":"*action.startupAction","phase":"Starting","error":"Operation cannot be fulfilled on syndesises.syndesis.io \"app\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/syndesisio/syndesis/install/operator/vendor/github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/src/github.com/syndesisio/syndesis/install/operator/vendor/github.com/go-logr/zapr/zapr.go:128\ngithub.com/syndesisio/syndesis/install/operator/pkg/controller/syndesis.(*ReconcileSyndesis).Reconcile\n\t/go/src/github.com/syndesisio/syndesis/install/operator/pkg/controller/syndesis/syndesis_controller.go:120\ngithub.com/syndesisio/syndesis/install/operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/syndesisio/syndesis/install/operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:215\ngithub.com/syndesisio/syndesis/install/operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1\n\t/go/src/github.com/syndesisio/syndesis/install/operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:158\ngithub.com/syndesisio/syndesis/install/operator/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1\n\t/go/src/github.com/syndesisio/syndesis/install/operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133\ngithub.com/syndesisio/syndesis/install/operator/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/src/github.com/syndesisio/syndesis/install/operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:134\ngithub.com/syndesisio/syndesis/install/operator/vendor/k8s.io/apimachinery/pkg/util/wait.Until\n\t/go/src/github.com/syndesisio/syndesis/install/operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88"}
- ENTESB-10577 Apicurito does not support YAML Open API spec files
- In Fuse 7.4 on OpenShift, Apicurito generates OpenAPI specification files in YAML format by default, but is not capable of re-importing the generated YAML file. Only JSON format can be imported into Apicurito at the moment.
7.3. Fuse on OpenShift
This section lists issues that affect the deployment of Fuse applications on OpenShift. For details of issues affecting specific containers, see also the sections for Spring Boot, Fuse on Apache Karaf, and Fuse on JBoss EAP. The Fuse on OpenShift distribution has the following known issues:
- ENTESB-13867 Quickstarts fails on Openshift 4.4
-
In Fuse 7.6.0 on OpenShift Container Platform (OCP) 4.4, the quickstarts for Fuse on OpenShift fail to deploy, because the deployment YAML files are using an older version of the deployment API that is incompatible with OpenShift 4.4. This is happening because OpenShift 4.4 has been upgraded to Kubernetes 1.17, which no longer accepts the older version of the deployment API (that is,
extensions/v1beta1
) and requires deployment API versionapps/v1
instead (which is documented in Deployment v1 apps). - ENTESB-12224 Fuse console - Select a container dropdown vague behaviour
- In Fuse 7.5.0 on OCP 4 and on OCP 3, after connecting to an application through the Fuse Console, the Select a container dropdown menu behaves unreliably, sometimes showing other deployed Fuse containers and sometimes not.
- ENTESB-12238 [SB2] Quickstarts arquillian test fail
In Fuse 7.5.0, some of the Spring Boot 2 quickstarts (generated either from Maven archetypes or quickstart templates) fail to build and deploy to OpenShift. The following Spring Boot 2 Maven archetypes are affected:
-
spring-boot-camel-archetype
-
spring-boot-camel-infinspan-archetype
-
spring-boot-cxf-jaxrs-archetype
-
spring-boot-cxf-jaxws-archetype
And the following Spring Boot 2 templates:
-
spring-boot-2-camel-template
-
spring-boot-2-camel-infinspan-template
-
spring-boot-2-cxf-jaxrs-template
-
spring-boot-2-cxf-jaxws-template
To work around this issue, after generating a Maven project for one of these quickstarts, edit the project’s Maven
pom.xml
file to add the following dependency:<dependency> <groupId>org.assertj</groupId> <artifactId>assertj-core</artifactId> <version>2.4.1</version> <scope>test</scope> </dependency>
-
- ENTESB-10577 Apicurito does not support YAML Open API spec files
- In Fuse 7.4 on OpenShift, Apicurito generates OpenAPI specification files in YAML format by default, but is not capable of re-importing the generated YAML file. Only JSON format can be imported into Apicurito at the moment.
7.4. Fuse on Spring Boot
Fuse on Spring Boot has the following known issues:
- ENTESB-12539 CVE-2019-10086 commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default [fuse-7.4.0]
-
In Fuse 7.6, the Camel Dozer,
camel-dozer
, component and the Camel Shiro,camel-shiro
, component depend on a version of thecommons-beanutils
library that has a CVE security vulnerability. Your application could potentially be affected by this security vulnerability, if you deploy the Camel Dozer or Camel Shiro component in a Spring Boot 1 container, a Spring Boot 2 container, or a JBoss EAP container. You can fix this security vulnerability by customizing the dependencies in your project’s Maven POM file — for details, see CVE for ENTESB-12539. - ENTESB-13210 Different version of artemis-jms-client on SB2, SB1, Karaf
-
In Fuse 7.6, the version of
artemis-jms-client
for the Spring Boot 2 container (2.11.0.redhat-00005
) is different from the version ofartemis-jms-client
for the Spring Boot 2 container and the Apache Karaf container (2.11.0.redhat-00004
). Both of these client versions are compatible with AMQ Broker 7.6, so this difference can be safely ignored. - ENTESB-13211 Unproductised version of Hawtio in Spring Boot 2 Bom
In Fuse 7.6, the Spring Boot 2 bill of materials (BOM) file references an unproductised version of Fuse Console (Hawtio). To work around this problem, in the Maven POM file for your Spring Boot 2 project, add the following lines to the dependency management section of the POM:
<dependencyManagement> <dependency> <groupId>io.hawt</groupId> <artifactId>hawtio-springboot</artifactId> <version>2.0.0.fuse-sb2-760022-redhat-00001</version> </dependency> </dependencyManagement>
7.5. Fuse on Apache Karaf
Fuse on Apache Karaf has the following known issues:
- ENTESB-11189 Fuse Camel elasticsearch-rest component - ClassNotFoundException and IllegalAccessError
-
In Fuse 7.6, the
camel-elasticsearch-rest
component does not work in the Apache Karaf container, because the corresponding feature is not correctly packaged. - ENTESB-13135 Automatic encryption of users2.properties on windows makes you unable to login
-
In Fuse 7.6, if you enable Jasypt encryption for
etc/users2.properties
on Windows, it becomes impossible to login, even with the correct credentials. - ENTESB-8140 Start level of hot deploy bundles is 80 by default
In the Fuse 7.0 GA release, in the Apache Karaf container the start level of hot deployed bundles is 80 by default. This can cause problems for the hot deployed bundles, because there are many system bundles and features that have the same start level. To work around this problem and ensure that hot deployed bundles start reliably, edit the
etc/org.apache.felix.fileinstall-deploy.cfg
file and change thefelix.fileinstall.start.level
setting as follows:felix.fileinstall.start.level = 90
- ENTESB-7664 Installing framework-security feature kills karaf
The
framework-security
OSGi feature must be installed using the--no-auto-refresh
option, otherwise this feature will shut down the Apache Karaf container. For example:feature:install -v --no-auto-refresh framework-security
7.6. Fuse on JBoss EAP
Fuse on JBoss EAP has the following known issues:
- ENTESB-12539 CVE-2019-10086 commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default [fuse-7.4.0]
-
In Fuse 7.6, the Camel Dozer,
camel-dozer
, component and the Camel Shiro component depend on a version of thecommons-beanutils
library that has a CVE security vulnerability. Your application could potentially be affected by this security vulnerability, if you deploy the Camel Dozer or Camel Shiro component in a Spring Boot 1 container, a Spring Boot 2 container, or a JBoss EAP container. For the JBoss EAP container type, no workaround is available at this time and we therefore recommend that you do not use the Camel Dozer or Camel Shiro components with Fuse on EAP. After Fuse 7.6.0 is released, a patch will be made available to fix thecommon-beanutils
dependency in Fuse on EAP. See CVE for ENTESB-12539. - ENTESB-13168 Camel deployment on EAP domain mode is not working on Windows
- In Fuse 7.6.0, for Fuse on JBoss EAP, the Camel subsystem cannot be deployed on JBoss EAP in domain mode on Windows OS.
7.7. Apache Camel
Apache Camel has the following known issues:
- ENTESB-11060 [camel-linkedin] V1 API is no longer supported
- Since Fuse 7.4.0, the Camel LinkedIn component is no longer able to communicate with the LinkedIn server, because it is implemented using the LinkedIn Version 1.0 API, which is no longer supported by LinkedIn. The Camel LinkedIn component will be updated to use the Version 2 API in a future release of Fuse.
- ENTESB-7469 Camel Docker component cannot use Unix socket connections on EAP
-
Since Fuse 7.0, the
camel-docker
component can connect to Docker only through its REST API, not through UNIX sockets. - ENTESB-5231 PHP script language does not work
- The PHP scripting language is not supported in Camel applications on the Apache Karaf container, because there is no OSGi bundle available for PHP.
- ENTESB-5232 Python language does not work
- The Python scripting language is not supported in Camel applications on the Apache Karaf container, because there is no OSGi bundle available for Python.
- ENTESB-2443 Google Mail API - Sending of messages and drafts is not synchronous
- When you send a message or draft, the response contains a Message object with an ID. It may not be possible to immediately get this message via another call to the API. You may have to wait and retry the call.
- ENTESB-2332 Google Drive API JSON response for changes returns bad count of items for the first page
-
Google Drive API JSON response for changes returns bad count of items for the first page. Setting
maxResults
for a list operation may not return all the results in the first page. You may have to go through several pages to get the complete list (that is by settingpageToken
on new requests).