Chapter 7. Known Issues

The following subsections describe the known issues in version 7.5.

7.1. CVE Security Vulnerabilities

As a middleware integration platform, Fuse can potentially be integrated with a large number of third-party components. It is not always possible to exclude the possibility that some third-party dependencies of Fuse could have security vulnerabilities. This section documents known security vulnerabilities affecting third-party dependencies of Fuse 7.5.

ENTESB-12489 CVE-2019-9827 - Fuse Console standalone on Amazon Web Services
Due to security concerns, you should not deploy a standalone Fuse application to Amazon Web Services (AWS). This restriction applies to all supported standalone environments (Spring Boot 1.x and 2.x, Karaf, and Red Hat JBoss Enterprise Application Platform). If you want to deploy the Fuse Console standalone on AWS, it is highly recommended that you upgrade to Fuse 7.7 or later and disable the Fuse Console’s proxy servlet by setting the hawtio.disableProxy system property to true.
CVE-2017-12629 Solr/Lucene -security bypass to access sensitive data - CVE-2017-12629

Apache Solr is a popular open source search platform that uses the Apache Lucene search engine. If your application uses a combination of Apache Solr with Apache Lucene (for example, when using the Camel Solr component), it could be affected by this security vulnerability. Please consult the linked security advisory for more details of this vulnerability and the mitigation steps to take.

Note

The Fuse runtime does not use Apache Solr or Apache Lucene directly. The security risk only arises, if you are using Apache Solr and Apache Lucene together in the context of an integration application (for example, when using the Camel Solr component).

Multiple CVEs Multiple CVEs related to jackson-databind security vulnerability

Applications that that use the FasterXML jackson-databind library to instantiate Java objects by deserializing JSON content are potentially vulnerable to a remote code execution attack. The vulnerability is not automatic, however, and it can be avoided if you take the appropriate mitigation steps.

At a minimum, the following prerequisites must all be satisfied before an attack becomes possible:

  1. You have enabled polymorphic type handling for deserialization of JSON content in jackson-databind. There are two alternative ways of enabling polymorphic type handling in Jackson JSON:

    1. Using a combination of the @JsonTypeInfo and @JsonSubTypes annotations.
    2. By calling the ObjectMapper.enableDefaultTyping() method. This option is particularly dangerous, as it effectively enables polymorphic typing globally.
  2. There are one or more gadget classes in your Java classpath, which have not yet been blacklisted by the current version of jackson-databind. A gadget class is defined as any class that performs a sensitive (potentially exploitable) operation as a side effect of executing a constructor or a setter method (which are the methods that can be called during a deserialization). The gadget blacklist maintained by the Jackson JSON library is the last line of defence against the remote code execution vulnerability.

    It is the existence of a large number of gadget classes which explains why there are many individual CVEs related to the jackson-databind vulnerability. There are different CVEs related to different kinds of gadget class.

If you do need to use the jackson-databind library in your application, the most important measure you can take to mitigate the risk is this: avoid polymorphic type handling in Jackson JSON and on no account should you call the ObjectMapper.enableDefaultTyping() method.

7.2. Fuse Online

The Fuse Online distribution has the following known issues:

ENTESB-12327 Upgrade 7.4 → 7.5 stuck because of missing komodo image
When upgrading from Fuse Online 7.4 to 7.5, the upgrade process gets stuck scaling the komodo-server pod to 1, because of a missing image. RESOLVED in 7.5.1.
ENTESB-12328 Postgres upgrade from 9.5 to 9.6 won’t use the old data dir
When upgrading from Fuse Online 7.4 to 7.5, the upgrade process fails while attempting to upgrade Postgres from version 9.5 to 9.6. RESOLVED in 7.5.1.
ENTESB-12175 Camel-k integrations stay deployed even when deleted in UI
In Fuse 7.5, if Camel K is enabled and you delete an integration in the UI, the Camel K integration continues to run, but isn’t displayed in Fuse Online. To work around this issue, first stop the integration in the UI and then delete it with the kamel delete command.
ENTESB-12174 API Provider running on camel-k has empty parameters
In Fuse 7.5, if Camel K is enabled and you create an API Provider action that uses query parameters, the parameters are empty.
ENTESB-11780 E7: Upgrade from 7.4 using operatorhub (OCP4)
You cannot upgrade a Fuse Online installation from 7.4 to 7.5 using OperatorHub. You need to make a clean installation of Fuse Online 7.5, manually export integrations from the old 7.4 installation, and then import the integrations into the new 7.5 installation. This issue will be addressed in Fuse 7.6
ENTESB-12040 Komodo server and syndesis-dv present after upgrade
After upgrading an on-premises installation of Fuse Online from 7.4 to 7.5, there will be both a komodo-server pod and a syndesis-dv pod present in the upgraded cluster. The komodo-server pod is redundant and can be scaled back to 0.
ENTESB-11633 Increase the default time on SQL queries
In Fuse Online, SQL queries can fail if they take too long to complete (for example, queries applied to a large table). The default timeout for SQL queries in Fuse Online is 15 seconds. This issue will be fixed in Fuse 7.6.
ENTESB-11407 [1.7.8] No activities after small load (~80000 messages in 20hours)

Performance testing has shown that the activity tracking logic can result in an exceptionally high number of dead tuples in the database used by Fuse Online to track activities. This issue causes a general slowdown in any operation that requires reads from the database, most notably accessing the list of integrations from the UI or refreshing the activities of an integration. The workaround for this issue is to perform periodic maintenance of the database by issuing the SQL statement VACUUM FULL ANALYSE jsondb.

Here are the steps to perform this task:

# check to see if there are dead tuples (not vacuumed)
$ oc exec -c postgresql $(oc get pod -l 'syndesis.io/component=syndesis-db' --no-headers=true -o=custom-columns=x:.metadata.name) -- bash -c "echo SELECT schemaname, relname, n_live_tup, n_dead_tup, last_autovacuum FROM pg_stat_all_tables WHERE relname = \'jsondb\'|psql -U syndesis"

 schemaname | relname | n_live_tup | n_dead_tup |        last_autovacuum
------------+---------+------------+------------+-------------------------------
 public     | jsondb  |      26893 |     491210 | 2019-07-17 09:26:51.264029+00
(1 row)

# since there are 491210 dead tuples, perform the following

# scale down the server
$ oc scale --replicas=0 dc syndesis-server

# terminate all running connections
$ oc exec -c postgresql $(oc get pod -l 'syndesis.io/component=syndesis-db' --no-headers=true -o=custom-columns=x:.metadata.name) -- bash -c "echo SELECT pg_terminate_backend\(a.pid\) FROM pg_locks l join pg_stat_activity a ON a.pid = l.pid WHERE l.mode = \'ExclusiveLock\' AND a.usename = \'syndesis\'|psql -U syndesis"
FATAL:  terminating connection due to administrator command
server closed the connection unexpectedly
	This probably means the server terminated abnormally
	before or while processing the request.
connection to server was lost
command terminated with exit code 2

# the preceding FATAL error is expected, because the statement also closes the connection psql is using

# execute `VACUUM FULL ANALYSE`
$ oc exec -c postgresql $(oc get pod -l 'syndesis.io/component=syndesis-db' --no-headers=true -o=custom-columns=x:.metadata.name) -- bash -c "echo VACUUM FULL ANALYSE jsondb|psql -U syndesis"
VACUUM

# scale up server
$ oc scale --replicas=1 dc syndesis-server
5458 Operator tries to update outdated Syndesis resource

When installing Fuse Online using the operator, the following error occurs multiple times, but it can be ignored as it has no significant effect on the installation:

{"level":"error","ts":1558617960.2453232,"logger":"controller","msg":"Error reconciling","action":"*action.startupAction","phase":"Starting","error":"Operation cannot be fulfilled on syndesises.syndesis.io \"app\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/syndesisio/syndesis/install/operator/vendor/github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/src/github.com/syndesisio/syndesis/install/operator/vendor/github.com/go-logr/zapr/zapr.go:128\ngithub.com/syndesisio/syndesis/install/operator/pkg/controller/syndesis.(*ReconcileSyndesis).Reconcile\n\t/go/src/github.com/syndesisio/syndesis/install/operator/pkg/controller/syndesis/syndesis_controller.go:120\ngithub.com/syndesisio/syndesis/install/operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/syndesisio/syndesis/install/operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:215\ngithub.com/syndesisio/syndesis/install/operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1\n\t/go/src/github.com/syndesisio/syndesis/install/operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:158\ngithub.com/syndesisio/syndesis/install/operator/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1\n\t/go/src/github.com/syndesisio/syndesis/install/operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133\ngithub.com/syndesisio/syndesis/install/operator/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/src/github.com/syndesisio/syndesis/install/operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:134\ngithub.com/syndesisio/syndesis/install/operator/vendor/k8s.io/apimachinery/pkg/util/wait.Until\n\t/go/src/github.com/syndesisio/syndesis/install/operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88"}
ENTESB-10577 Apicurito does not support YAML Open API spec files
In Fuse 7.4 on OpenShift, Apicurito generates OpenAPI specification files in YAML format by default, but is not capable of re-importing the generated YAML file. Only JSON format can be imported into Apicurito at the moment.
698 DB Connector: SQL parser doesn’t recognize parameters for LIKE
In SQL statements containing the LIKE keyword (for example, DELETE FROM TODO WHERE task LIKE ‘:#param’), the LIKE keyword cannot be used with datamapper parameters, such as :#param.

7.3. Fuse on OpenShift

This section lists issues that affect the deployment of Fuse applications on OpenShift. For details of issues affecting specific containers, see also the sections for Spring Boot, Fuse on Apache Karaf, and Fuse on JBoss EAP. The Fuse on OpenShift distribution has the following known issues:

ENTESB-12941 prometheus doesn’t work with OCP 4.4

In Fuse 7.5.0, the Prometheus image that is packaged with Fuse 7.5.0 does not work on OpenShift Container Platform (OCP) 4.4. If you attempt to install the Fuse 7.5.0 Prometheus image on OCP 4.4, you will get the following error:

error: unable to recognize no matches for kind "Deployment" in version "apps/v1beta2"

This issue does not affect Prometheus on OCP 4.3, however.

ENTESB-11712 [Hawtio] Add a configuration in OSGi doesn’t work
In Fuse 7.5.0 on OCP 3.11, when using Fuse Console (Hawtio) on Apache Karaf on OCP 3.11, the Add configuration button in the OSGi tab does not work.
ENTESB-12224 Fuse console - Select a container dropdown vague behaviour
In Fuse 7.5.0 on OCP 4 and on OCP 3, after connecting to an application through the Fuse Console, the Select a container dropdown menu behaves unreliably, sometimes showing other deployed Fuse containers and sometimes not.
ENTESB-11131 OLM manifest for the Fuse Console operator
In Fuse 7.5.0 on OCP 4, the Fuse Console (Hawtio) cannot be installed using an operator from the Operator Hub.
ENTESB-12241 OSGi pages not working on OCP 4.1
In Fuse 7.5.0 on OCP 4, for an application deployed on Apache Karaf on OCP 4.1, when monitoring the application through the Fuse Console (Hawtio), it is not possible to view the OSGi pages.
ENTESB-12238 [SB2] Quickstarts arquillian test fail

In Fuse 7.5.0, some of the Spring Boot 2 quickstarts (generated either from Maven archetypes or quickstart templates) fail to build and deploy to OpenShift. The following Spring Boot 2 Maven archetypes are affected:

  • spring-boot-camel-archetype
  • spring-boot-camel-infinspan-archetype
  • spring-boot-cxf-jaxrs-archetype
  • spring-boot-cxf-jaxws-archetype

And the following Spring Boot 2 templates:

  • spring-boot-2-camel-template
  • spring-boot-2-camel-infinspan-template
  • spring-boot-2-cxf-jaxrs-template
  • spring-boot-2-cxf-jaxws-template

To work around this issue, after generating a Maven project for one of these quickstarts, edit the project’s Maven pom.xml file to add the following dependency:

<dependency>
  <groupId>org.assertj</groupId>
  <artifactId>assertj-core</artifactId>
  <version>2.4.1</version>
  <scope>test</scope>
</dependency>
ENTESB-10577 Apicurito does not support YAML Open API spec files
In Fuse 7.4 on OpenShift, Apicurito generates OpenAPI specification files in YAML format by default, but is not capable of re-importing the generated YAML file. Only JSON format can be imported into Apicurito at the moment.

7.4. Fuse on Spring Boot

Fuse on Spring Boot has the following known issues:

ENTESB-12137 [camel-box] not working on SB2
In the Fuse 7.5.0 release, the Camel Box component is not working on the Spring Boot 2 container.

7.5. Fuse on Apache Karaf

Fuse on Apache Karaf has the following known issues:

ENTESB-12105 [camel-salesforce-quickstart] Camel salesforce quickstart is not working on Karaf

In Fuse 7.5.0, if you follow the instructions provided in the README for the Apache Karaf camel-salesforce quickstart, the application does not build. To work around this problem, instead of building the quickstart using the command mvn -Pgenerate-pojos clean install (as described in the README file), enter the following command:

mvn clean install

In other words, omit the -Pgenerate-pojos option from the Maven command.

ENTESB-8140 Start level of hot deploy bundles is 80 by default

In the Fuse 7.0 GA release, in the Apache Karaf container the start level of hot deployed bundles is 80 by default. This can cause problems for the hot deployed bundles, because there are many system bundles and features that have the same start level. To work around this problem and ensure that hot deployed bundles start reliably, edit the etc/org.apache.felix.fileinstall-deploy.cfg file and change the felix.fileinstall.start.level setting as follows:

felix.fileinstall.start.level = 90
ENTESB-7664 Installing framework-security feature kills karaf

The framework-security OSGi feature must be installed using the --no-auto-refresh option, otherwise this feature will shut down the Apache Karaf container. For example:

feature:install -v --no-auto-refresh framework-security

7.6. Apache Camel

Apache Camel has the following known issues:

ENTESB-12210 XPath evaluation fails with null body using Saxon-HE-9.8.0-8_1
Since Fuse 7.0, an xpath expression throws a NullPointerException (NPE), if executed against a null header or body when Saxon is used as the JAXP provider.
ENTESB-12050 [camel-jetty] java.lang.NoClassDefFoundError: org/eclipse/jetty/util/MultiPartInputStreamParser

Since Fuse 7.5.0, if you define a custom multi-part filter on the Jetty9 component by setting the multipartFilter option (or the multipartFilterRef option), the custom multi-part filter must be implemented by extending the new org.apache.camel.component.jetty.MultiPartFilter class. If you already have a filter implementation that was defined by extending the (deprecated) org.eclipse.jetty.servlets.MultiPartFilter class, you must re-implement this class by extending org.apache.camel.component.jetty.MultiPartFilter instead.

Note that if you deploy an old custom filter that was implemented by extending org.eclipse.jetty.servlets.MultiPartFilter to the Apache Karaf container in Fuse 7.5.0, you will get a java.lang.NoClassDefFoundError. This is because the deprecated org.eclipse.jetty.servlets.MultiPartFilter class uses the deprecated org.eclipse.jetty.util.MultiPartInputStreamParser class, which has been removed from Jetty 9.4.20.

ENTESB-10490 camel-jetty9 with https does not work on IBM java
The default security settings of the Camel Jetty9 component are not compatible with the IBM Java VM. In order to use TLS security with the Camel Jetty9 component on the IBM Java VM, it is necessary to configure the TLS security settings explicitly on the Jetty9 component.
ENTESB-12102 Camel-box quickstart is not working

In Fuse 7.5.0, the camel-box quickstart gives an error when you run the sample application. To work around this issue, edit the camel-box/src/main/resources/OSGI-INF/blueprint/box.xml file and look for the following line near the end of the route definition:

<to uri="box:files/uploadFile"/>

Replace this with the following line (which adds the check=false URI option):

<to uri="box:files/uploadFile?check=false"/>
ENTESB-11060 [camel-linkedin] V1 API is no longer supported
Since Fuse 7.4.0, the Camel LinkedIn component is no longer able to communicate with the LinkedIn server, because it is implemented using the LinkedIn Version 1.0 API, which is no longer supported by LinkedIn. The Camel LinkedIn component will be updated to use the Version 2 API in a future release of Fuse.
ENTESB-5231 PHP script language does not work
The PHP scripting language is not supported in Camel applications on the Apache Karaf container, because there is no OSGi bundle available for PHP.
ENTESB-5232 Python language does not work
The Python scripting language is not supported in Camel applications on the Apache Karaf container, because there is no OSGi bundle available for Python.
ENTESB-2443 Google Mail API - Sending of messages and drafts is not synchronous
When you send a message or draft, the response contains a Message object with an ID. It may not be possible to immediately get this message via another call to the API. You may have to wait and retry the call.
ENTESB-2332 Google Drive API JSON response for changes returns bad count of items for the first page
Google Drive API JSON response for changes returns bad count of items for the first page. Setting maxResults for a list operation may not return all the results in the first page. You may have to go through several pages to get the complete list (that is by setting pageToken on new requests).