Language and Page Formatting Options
Chapter 7. Known Issues
The following subsections describe the known issues in version 7.11.
7.1. CVE Security Vulnerabilities
As a middleware integration platform, Fuse can potentially be integrated with a large number of third-party components. It is not always possible to exclude the possibility that some third-party dependencies of Fuse could have security vulnerabilities. This section documents known common vulnerabilities and exposures (CVEs) related to security that affect third-party dependencies of Fuse 7.11.
- CVE-2020-13936 CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
Fuse 7.9 (and later) has modified its dependencies to ensure that it uses only the Velocity version (that is, version 2.3) that has been fixed to protect against this security vulnerability. If your application code has any explicit dependencies on the Apache Velocity component, we recommend that you upgrade these dependencies to use the fixed version.
- ENTESB-8113 CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service [fuse-7.0.0]
Google Guava versions 11.0 through 24.1 are vulnerable to unbounded memory allocation in the
AtomicDoubleArrayclass (when serialized with Java serialization) and the
CompoundOrderingclass (when serialized with GWT serialization). An attacker could exploit applications that use Guava and deserialize untrusted data to cause a denial of service — for more details, see CVE-2018-10237.
To avoid this security vulnerability, we recommend that you:
Never deserialize an
AtomicDoubleArrayinstance or a
CompoundOrderinginstance from an unknown source.
- Avoid using Guava versions 24 and earlier (although in some cases it is not possible to avoid the earlier versions).
To make it easier to avoid the earlier (vulnerable) versions of Guava, Fuse 7.7 (and later) has configured its Maven Bill of Materials (BOM) files for all containers to select Guava 27 by default. This means that if you incorporate a Fuse BOM into your Maven project (by adding a dependency on the BOM to the
dependencyManagementsection of your POM file) and then specify a dependency on the Guava artifact without specifying an explicit version, the Guava version will default to the version specified in the BOM, which is version 27 for the Fuse 7.7 BOMs.
But there is at least one common use case involving the Apache Karaf (OSGi) container, where it is not possible to avoid using a vulnerable version of Guava: if your OSGi application uses Guava and Swagger together, you are obliged to use Guava 20, because that is the version required by Swagger. Here we explain why this is the case and how to configure your POM file to revert the earlier (vulnerable) Guava 20 library. First, you need to understand the concept of a double OSGi chain.
Double OSGi chain
Bundles in the OSGi runtime are wired together using package constraints (package name + optional version/range) — imports and exports. Each bundle can have multiple imports and usually those imports wire a given bundle with multiple bundles. For example:
BundleA +-- BundleB | +-- BundleCa +-- BundleCb
BundleCbshould be the same bundle, if the export the same packages, but due to version (range) constraints,
BundleBuses (wires to) a different revision/version of
Rewriting the preceding diagram to reflect what happens when you include dependencies on both Guava and Swagger in an application:
org.jboss.qe.cxf.rs.swagger-deployment +-- Guava 27 +-- Swagger 1.5 +-- reflections 0.9.11 +-- Guava 20
If you try to deploy this bundle configuration, you get the error,
org.osgi.framework.BundleException: Uses constraint violation.
Reverting to Guava 20
If your project uses both Guava and Swagger libraries (directly or indirectly), you should configure the
maven-bundle-pluginto use an explicit version range (or no range at all) for the Guava bundle import, as follows:
<Import-Package> com.google.common.base;version="[20.0,21.0)", com.google.common.collect;version="[20.0,21.0)", com.google.common.io;version="[20.0,21.0)" </Import-Package>
This configuration forces your OSGi application to revert to the (vulnerable) Guava 20 library. It is therefore particularly important to avoid deserializing
AtomicDoubleArrayinstances in this case.
- Never deserialize an
- CVE-2017-12629 Solr/Lucene -security bypass to access sensitive data - CVE-2017-12629
Apache Solr is a popular open source search platform that uses the Apache Lucene search engine. If your application uses a combination of Apache Solr with Apache Lucene (for example, when using the Camel Solr component), it could be affected by this security vulnerability. Please consult the linked security advisory for more details of this vulnerability and the mitigation steps to take.Note
The Fuse runtime does not use Apache Solr or Apache Lucene directly. The security risk only arises, if you are using Apache Solr and Apache Lucene together in the context of an integration application (for example, when using the Camel Solr component).
- CVE-2021-30129 mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server
A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0
This vulnerability in Apache Mina SSHD was addressed by SSHD-1004, which deprecates certain cryptographic algorithms that have this vulnerability. In Fuse 7.10 on Karaf and Fuse 7.10 on JBoss EAP, these deprecated algorithms are still supported (for reasons of backwards compatibility). However, if you are using one of these deprecated algorithms, it is strongly recommended that you refactor your application code to use a different algorithm instead.
In Fuse 7.10, the default cipher algorithms have changed as follows.
Fuse 7.9 Fuse 7.10 Deprecated in Fuse 7.10?
In Fuse 7.10, the default key exchange algorithms have changed as follows.
Fuse 7.9 Fuse 7.10 deprecated in 7.10?
7.2. Fuse Online
The Fuse Online distribution has the following known issues:
- ENTESB-17674 Monitoring Fuse Online with Prometheus and Grafana on OCP 4.9 (or later) requires workaround
On OCP 4.9 (or later), the
application-monitoringproject no longer works. It is a prerequisite for monitoring Fuse Online integrations and infrastructure components with Prometheus and Grafana.
To work around this issue, you can use the built-in monitoring stack (in the
openshift-monitoringnamespace) to use the
openshift-user-workload-monitoringfeature and the
grafana-operatorto use the
ops addonas described in the Important notes for Fuse Online section of these release notes.
- ENTESB-15348 Syndesis-jaeger uses unproductized image on OCP 3.11
Since Fuse 7.8, if you are attempting to install Fuse Online on OCP 3.11 with the Jaeger add-on enabled (enhanced activity tracking), it is possible you might encounter the following error:
Unknown desc = toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit
This happens because the productised Jaeger container references Dockerhub images, which are out of Red Hat’s control. To work around this issue, you can either wait until rate limit window times out, or disable the Jaeger add-on.
- ENTESB-14518 Jaeger operator installed by Syndesis 1.11 affects other namespaces
Since Fuse 7.8, when you install Fuse 7.8 Online (Syndesis 1.11) on an OpenShift cluster, the Jaeger Operator (which gets installed along with Fuse Online) is configured to manage All namespaces by default. A side effect of this behavior is that, in the case where you already have Fuse 7.7 Online (Syndesis 1.10) installed on a cluster and then you install Fuse 7.8 Online in a different namespace, the Jaeger Operator installed with Fuse 7.8 Online tries to manage the (older) Jaeger instance installed on the Fuse 7.7 Online namespace. The result is that a new
syndesis-jaegerpod — in addition to the existing
syndesis-jaegerpod — appears in the Fuse 7.7 Online namespace and the new
syndesis-jaegerpod enters the
CrashLoopBackOffstate. The original Fuse 7.7 Online instance is not affected and the crashed
syndesis-jaegerpod can be safely ignored.
- ENTESB-13966 Discovery of deployed integration API seems disabled but not really
- Starting in Fuse 7.7, after creating a new integration containing an API, the integration detail page wrongly implies that 3scale discovery is disabled for this integration. Additionally, the integration detail page does not show the API URL. By clicking this button three times (click Enable, then click Disable, then click Enable), you can resynchronize the page so that 3scale discovery is enabled and the API URL is displayed.
_link:https://issues.redhat.com/browse/ENTESB-19343_Fuse Online is not able to be installed on OpenShift 4.11 (nightly build)
In openshift 4.11 when a serviceaccount is created, it also creates a secret (token), but doesn’t link to the serviceaccount. So when you try to install Fuse online on OpenShift 4.11, it fails. The workaround is to link the secret to the the serviceaccount as follows:
+ . Retrieve the full name of
oc get secrets
Link the secret with
syndesis-oauth SA. For example,
oc secrets link syndesis-oauth-client syndesis-oauth-client-token-p6w5p
- Repeat above step for each SA and its appropriate token secret (same name prefix) in the namespace. For example,
oc secrets link syndesis-default syndesis-default-token-5jdzr oc secrets link syndesis-integration syndesis-integration-token-bmlc4 oc secrets link syndesis-server syndesis-server-token-5hqzq
7.3. Fuse on OpenShift
This section lists issues that affect the deployment of Fuse applications on OpenShift. For details of issues affecting specific containers, see also the sections for Spring Boot, Fuse on Apache Karaf, and Fuse on JBoss EAP. The Fuse on OpenShift distribution has the following known issues:
- ENTESB-17895 [ Fuse Console ] Upgrade subscription does not update Hawtio
- In Fuse 7.10, if you update the Fuse Console by changing the Operator subscription channel to version 7.10, the Fuse Console remains on vesion 7.9. Even if the the Fuse Console containers and pods have the label 7.10, they are still using the 7.9 images. To work around this problem, perform the upgrade by removing the older version of Fuse Console and then making a fresh install of Fuse Console version 7.10.
- ENTESB-17861 Apicurito generator cannot generate Fuse Camel Project
In Fuse 7.10, the API Designer (Apicurito) does not work properly, if it is installed via the Apicurito Operator (giving an Invalid Cert Error). To work around this problem:
Open a new tab to
cluster-name.openshift.comwith your cluster name.).
- Accept the certificates.
- Switch to the application and click on the generate button again.
- ENTESB-17836 [ Fuse Console ] A newly added route is not displayed in the Camel tree
- In Fuse 7.10, after deploying an application, the route (or routes) is not displayed in the Camel tree on the Fuse Console. You can work around this issue by refreshing the page, which should make the route appear.
_ENTESB-19351_FIPS on OCP - Jolokia agent doesn’t start due to unsupported security encoding
In Fuse 7.11, in OCP FIPS-enabled Jolokia agent becomes unavailable due to unsupported security encoding.
_ENTESB-19352_FIPS on OCP - karaf-maven-plugin assembly goal fails to unsupported security provider
In Fuse 7.11, a binary stream deploy strategy fails on OCP FIPS enabled, with Karaf applications, if we use
karaf-maven-plugin with assembly goal.
7.4. Fuse on Apache Karaf
Fuse on Apache Karaf has the following known issues:
- ENTESB-16417 Credential store is using PBEWithSHA1AndDESede by default
- The security API in OpenJDK 8u292 and in OracleJDK 1.8.0_291 returns an incomplete list of security providers, which causes the credential store in Apache Karaf to fail (because the required security provider appears to be unavailable). The underlying issue that causes this problem is https://bugs.openjdk.java.net/browse/JDK-8249906. We recommend that you use the earlier OpenJDK version, OpenJDK 8u282, or the later OpenJDK version, OpenJDK 8u302, which do not have this bug.
- ENTESB-16526 fuse-karaf on Windows cannot restart during patch:install
patch:installin the Apache Karaf container on the Windows platform, under certain circumstances you might encounter the following error when the
patch:installcommand attempts an automatic restart of the container:
Red Hat Fuse starting up. Press Enter to open the shell now... 100% [========================================================================] Karaf started in 18s. Bundle stats: 235 active, 235 total '.tmpdir' is not recognized as an internal or external command, operable program or batch file. There is a Root instance already running with name ~14 and pid ~13. If you know what you are doing and want to force the run anyway, SET CHECK_ROOT_INSTANCE_RUNNING=false and re run the command.
If you encounter this error, simply restart the Karaf container manually.
- ENTESB-8140 Start level of hot deploy bundles is 80 by default
Starting in the Fuse 7.0 GA release, in the Apache Karaf container the start level of hot deployed bundles is 80 by default. This can cause problems for the hot deployed bundles, because there are many system bundles and features that have the same start level. To work around this problem and ensure that hot deployed bundles start reliably, edit the
etc/org.apache.felix.fileinstall-deploy.cfgfile and change the
felix.fileinstall.start.levelsetting as follows:
felix.fileinstall.start.level = 90
- ENTESB-7664 Installing framework-security feature kills karaf
framework-securityOSGi feature must be installed using the
--no-auto-refreshoption, otherwise this feature will shut down the Apache Karaf container. For example:
feature:install -v --no-auto-refresh framework-security
7.5. Fuse on JBoss EAP
Fuse on JBoss EAP has the following known issues:
- ENTESB-13168 Camel deployment on EAP domain mode is not working on Windows
- Starting in Fuse 7.6.0, for Fuse on JBoss EAP, the Camel subsystem cannot be deployed on JBoss EAP in domain mode on Windows OS.
7.6. Fuse Tooling
Fuse Tooling has the following known issues:
- ENTESB-17705 [ Hawtio ] Logout button disappears
- In Fuse 7.10, after logging in and logging out several times in a row, the Logout button is not shown. To work around this issue, you can refresh the page one or more times and the Logout button should reappear.
- _ENTESB-17839_Fuse + AtlasMap: Unrecognized field "dataSourceType"
- In Fuse 7.11, if user wants to use AtlasMap vscode extension, then they must use version 0.0.9 as Fuse 7.11 is with AtlasMap 2.3.x. Otherwise use AtlasMap standalone 2.3.x but not the vscode-extension.
7.7. Apache Camel
Apache Camel has the following known issues:
- ENTESB-15343 XSLT component not working properly with IBM1.8 JDK
In Fuse 7.8, the Camel XSLT component does not work properly with the IBM 1.8 JDK. The problem occurs because the underlying Apache Xerces implementation of XSLT does not support the
javax.xml.XMLConstants#FEATURE_SECURE_PROCESSINGproperty (see XERCESJ-1654).
- ENTESB-11060 [ camel-linkedin ] V1 API is no longer supported
- Since Fuse 7.4.0, the Camel LinkedIn component is no longer able to communicate with the LinkedIn server, because it is implemented using the LinkedIn Version 1.0 API, which is no longer supported by LinkedIn. The Camel LinkedIn component will be updated to use the Version 2 API in a future release of Fuse.
- ENTESB-7469 Camel Docker component cannot use Unix socket connections on EAP
Since Fuse 7.0, the
camel-dockercomponent can connect to Docker only through its REST API, not through UNIX sockets.
- ENTESB-5231 PHP script language does not work
- The PHP scripting language is not supported in Camel applications on the Apache Karaf container, because there is no OSGi bundle available for PHP.
- ENTESB-5232 Python language does not work
- The Python scripting language is not supported in Camel applications on the Apache Karaf container, because there is no OSGi bundle available for Python.
- ENTESB-2443 Google Mail API - Sending of messages and drafts is not synchronous
- When you send a message or draft, the response contains a Message object with an ID. It may not be possible to immediately get this message via another call to the API. You may have to wait and retry the call.
- ENTESB-2332 Google Drive API JSON response for changes returns bad count of items for the first page
Google Drive API JSON response for changes returns bad count of items for the first page. Setting
maxResultsfor a list operation may not return all the results in the first page. You may have to go through several pages to get the complete list (that is by setting
pageTokenon new requests).