Chapter 7. Known Issues

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

Fuse 7.9 has modified its dependencies to ensure that it uses only the Velocity version (that is, version 2.3) that has been fixed to protect against this security vulnerability. If your application code has any explicit dependencies on the Apache Velocity component, we recommend that you upgrade these dependencies to use the fixed version.

Google Guava versions 11.0 through 24.1 are vulnerable to unbounded memory allocation in the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization). An attacker could exploit applications that use Guava and deserialize untrusted data to cause a denial of service — for more details, see CVE-2018-10237.

To avoid this security vulnerability, we recommend that you:

To make it easier to avoid the earlier (vulnerable) versions of Guava, Fuse 7.7 has configured its Maven Bill of Materials (BOM) files for all containers to select Guava 27 by default. This means that if you incorporate a Fuse BOM into your Maven project (by adding a dependency on the BOM to the dependencyManagement section of your POM file) and then specify a dependency on the Guava artifact without specifying an explicit version, the Guava version will default to the version specified in the BOM, which is version 27 for the Fuse 7.7 BOMs.

But there is at least one common use case involving the Apache Karaf (OSGi) container, where it is not possible to avoid using a vulnerable version of Guava: if your OSGi application uses Guava and Swagger together, you are obliged to use Guava 20, because that is the version required by Swagger. Here we explain why this is the case and how to configure your POM file to revert the earlier (vulnerable) Guava 20 library. First, you need to understand the concept of a double OSGi chain.

Double OSGi chain

Bundles in the OSGi runtime are wired together using package constraints (package name + optional version/range) — imports and exports. Each bundle can have multiple imports and usually those imports wire a given bundle with multiple bundles. For example:

BundleA
+-- BundleB
|   +-- BundleCa
+-- BundleCb

Where BundleA depends on BundleB and BundleCb, while BundleB depends on BundleCa. BundleCa and BundleCb should be the same bundle, if the export the same packages, but due to version (range) constraints, BundleB uses (wires to) a different revision/version of BundleC than BundleA.

Rewriting the preceding diagram to reflect what happens when you include dependencies on both Guava and Swagger in an application:

org.jboss.qe.cxf.rs.swagger-deployment
+-- Guava 27
+-- Swagger 1.5
    +-- reflections 0.9.11
        +-- Guava 20

If you try to deploy this bundle configuration, you get the error, org.osgi.framework.BundleException: Uses constraint violation.

Reverting to Guava 20

If your project uses both Guava and Swagger libraries (directly or indirectly), you should configure the maven-bundle-plugin to use an explicit version range (or no range at all) for the Guava bundle import, as follows:

<Import-Package>
    com.google.common.base;version="[20.0,21.0)",
    com.google.common.collect;version="[20.0,21.0)",
    com.google.common.io;version="[20.0,21.0)"
</Import-Package>

This configuration forces your OSGi application to revert to the (vulnerable) Guava 20 library. It is therefore particularly important to avoid deserializing AtomicDoubleArray instances in this case.

Apache Solr is a popular open source search platform that uses the Apache Lucene search engine. If your application uses a combination of Apache Solr with Apache Lucene (for example, when using the Camel Solr component), it could be affected by this security vulnerability. Please consult the linked security advisory for more details of this vulnerability and the mitigation steps to take.

In Fuse 7.9, after installing Fuse Online on a disconnected OpenShift Container Platform (OCP) cluster, you cannot access the UI for Fuse Online. When you try to access the UI, you get the following error:

504 Gateway Time-out
The server didn't respond in time.

To work around this issue, you need to scale the Fuse Online Operator down to zero, and then set three environment variables in the Syndesis OAuth Proxy deployment configuration. You can do this at the command line, by entering the following commands:

oc scale deployment fuse-online-operator --replicas 0
sleep 10
oc set env deploymentconfig/syndesis-oauthproxy HTTP_PROXY=$(oc get proxy cluster -o jsonpath='{.status.httpProxy}')
oc set env deploymentconfig/syndesis-oauthproxy HTTPS_PROXY=$(oc get proxy cluster -o jsonpath='{.status.httpsProxy}')
oc set env deploymentconfig/syndesis-oauthproxy NO_PROXY=$(oc get proxy cluster -o jsonpath='{.status.noProxy}')

Note that the Fuse Online Operator must remain scaled at zero. If you scale the Operator back to one, it will overwrite the environment variables, resetting them to the (incorrect) default values.

Since Fuse 7.8, if you are running Fuse Online in an offline (disconnected from the internet) environment and you have configured the Fuse Online custom resource (CR) to use a custom Maven repository on your local network, for example:

...
      server:
        features:
          maven:
            append: false
            repositories:
              customRepo1: http://192.0.2.0:8080
...

Then there are particular circumstances where other Maven repositories are consulted, in addition to the specified customRepo1, in spite of the fact that the append: false flag is specified in the CR. For example, this can happen if Fuse Online is configured to use extensions that download Maven dependencies while they are building. Typically, this issue causes longer build times, because the incorrect Maven repositories are consulted before the specified custom Maven repository, which wastes time during the build process.

Since Fuse 7.8, if you are attempting to install Fuse Online on OCP 3.11 with the Jaeger add-on enabled (enhanced activity tracking), it is possible you might encounter the following error:

Unknown desc = toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

This happens because the productised Jaeger container references Dockerhub images, which are out of Red Hat’s control. To work around this issue, you can either wait until rate limit window times out, or disable the Jaeger add-on.

In Fuse 7.9, a Fuse Camel project generated by API Designer (Apicurito Generator) does not expose a management port, because the file, src/main/resources/application.yml is configured incorrectly. The generated src/main/resources/application.yml file has the following configuration:

management:
  port: 8081
endpoints:
  enabled: false
  health:
    enabled: true

This configuration must be changed to:

management:
  server:
    port: 8081

  endpoints:
    enabled-by-default: false

  endpoint:
    health:
      enabled: true

Moreover, the pom.xml file in the generated project uses the fabric8-maven-plugin, which is deprecated. It is preferable to use the new openshift-maven-plugin in a Maven project.

In Fuse 7.9, when building a Karaf application to run on OpenShift, you must edit the pom.xml, adding a line to the Import-Package section of the POM file to specify the explicit version range for javax.annotation;version="[1.3,2.0)" for the javax.annotation package.

For example, if the Import-Package section in your pom.xml file looks like this:

<Import-Package>
   javax.ws.rs;version="[2, 3)",
   javax.ws.rs.core;version="[2, 3)",
   javax.ws.rs.ext;version="[2, 3)",
   javax.xml.bind;version="[2,3)",
   javax.xml.bind.annotation;version="[2,3)",
   org.osgi.service.blueprint,
   org.apache.cxf.transport.http,
   *
</Import-Package>

You would add a line with javax.annotation;version="[1.3,2.0)", so that the section looks like:

<Import-Package>
   javax.annotation;version="[1.3,2.0)",
   javax.ws.rs;version="[2, 3)",
   javax.ws.rs.core;version="[2, 3)",
   javax.ws.rs.ext;version="[2, 3)",
   javax.xml.bind;version="[2,3)",
   javax.xml.bind.annotation;version="[2,3)",
   org.osgi.service.blueprint,
   org.apache.cxf.transport.http,
   *
</Import-Package>

The reason this is needed is because some common third-party dependencies can pull in the wrong version of the javax.annotations library into the Karaf container.

While running patch:install in the Apache Karaf container on the Windows platform, under certain circumstances you might encounter the following error when the patch:install command attempts an automatic restart of the container:

Red Hat Fuse starting up. Press Enter to open the shell now...
100% [========================================================================]
Karaf started in 18s. Bundle stats: 235 active, 235 total
'.tmpdir' is not recognized as an internal or external command,
operable program or batch file.
There is a Root instance already running with name ~14 and pid ~13. If you know what you are doing and want to force the run anyway, SET CHECK_ROOT_INSTANCE_RUNNING=false and re run the command.

If you encounter this error, simply restart the Karaf container manually.

Starting in the Fuse 7.0 GA release, in the Apache Karaf container the start level of hot deployed bundles is 80 by default. This can cause problems for the hot deployed bundles, because there are many system bundles and features that have the same start level. To work around this problem and ensure that hot deployed bundles start reliably, edit the etc/org.apache.felix.fileinstall-deploy.cfg file and change the felix.fileinstall.start.level setting as follows:

felix.fileinstall.start.level = 90

The framework-security OSGi feature must be installed using the --no-auto-refresh option, otherwise this feature will shut down the Apache Karaf container. For example:

feature:install -v --no-auto-refresh framework-security

In Fuse 7.9, the Camel Infinispan (camel-infinispan) component does not work for Fuse on JBoss EAP, because JBoss EAP 7.4.0 is missing a dependency on org.infinispan.protostream (see also ENTESB-16186). If you get the following error when using the Camel Infinispan component in Fuse on JBoss EAP 7.4.0:

java.lang.NoClassDefFoundError: org/infinispan/protostream/SerializationContextInitializer
    Caused by: java.lang.ClassNotFoundException: org.infinispan.protostream.SerializationContextInitializer from [Module \"org.infinispan.client.hotrod\" version 11.0.9.Final-redhat-00001 from local module loader

You can work around this problem by modifying $EAP_HOME/modules/system/layers/base/org/infinispan/client/hotrod/main/module.xml, adding the org.infinispan.protostream module as follows:

<module name="org.infinispan.client.hotrod" xmlns="urn:jboss:module:1.x">
    <properties>
        <property name="jboss.api" value="private"/>
    </properties>

    <resources>
        <resource-root path="infinispan-client-hotrod-x.x.x.Final-redhat-00001.jar"/>
    </resources>

    <dependencies>
        <module name="javax.api"/>
        <module name="javax.transaction.api"/>
        <module name="com.google.protobuf" optional="true"/>
        <module name="io.netty"/>
        <module name="org.infinispan.commons"/>
        <module name="org.jboss.logging"/>
        <module name="org.infinispan.protostream" optional="true"/>  <!-- add this line -->
    </dependencies>
</module>

As this problem arises in the underlying JBoss EAP container, the problem could be solved by upgrading to a fixed (and supported) version of JBoss EAP as soon as a fix becomes available.