Chapter 7. Known Issues

The following subsections describe the known issues in version 7.7.

7.1. CVE Security Vulnerabilities

As a middleware integration platform, Fuse can potentially be integrated with a large number of third-party components. It is not always possible to exclude the possibility that some third-party dependencies of Fuse could have security vulnerabilities. This section documents known security vulnerabilities affecting third-party dependencies of Fuse 7.7.

ENTESB-8113 CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service [fuse-7.0.0]

Google Guava versions 11.0 through 24.1 are vulnerable to unbounded memory allocation in the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization). An attacker could exploit applications that use Guava and deserialize untrusted data to cause a denial of service — for more details, see CVE-2018-10237.

To avoid this security vulnerability, we recommend that you:

  • Never deserialize an AtomicDoubleArray instance or a CompoundOrdering instance from an unknown source.
  • Avoid using Guava versions 24 and earlier (although in some cases it is not possible to avoid the earlier versions).

To make it easier to avoid the earlier (vulnerable) versions of Guava, Fuse 7.7 has configured its Maven Bill of Materials (BOM) files for all containers to select Guava 27 by default. This means that if you incorporate a Fuse BOM into your Maven project (by adding a dependency on the BOM to the dependencyManagement section of your POM file) and then specify a dependency on the Guava artifact without specifying an explicit version, the Guava version will default to the version specified in the BOM, which is version 27 for the Fuse 7.7 BOMs.

But there is at least one common use case involving the Apache Karaf (OSGi) container, where it is not possible to avoid using a vulnerable version of Guava: if your OSGi application uses Guava and Swagger together, you are obliged to use Guava 20, because that is the version required by Swagger. Here we explain why this is the case and how to configure your POM file to revert the earlier (vulnerable) Guava 20 library. First, you need to understand the concept of a double OSGi chain.

Double OSGi chain

Bundles in the OSGi runtime are wired together using package constraints (package name + optional version/range) — imports and exports. Each bundle can have multiple imports and usually those imports wire a given bundle with multiple bundles. For example: 

BundleA
+-- BundleB
|   +-- BundleCa
+-- BundleCb

Where BundleA depends on BundleB and BundleCb, while BundleB depends on BundleCa. BundleCa and BundleCb should be the same bundle, if the export the same packages, but due to version (range) constraints, BundleB uses (wires to) a different revision/version of BundleC than BundleA.

Rewriting the preceding diagram to reflect what happens when you include dependencies on both Guava and Swagger in an application: 

org.jboss.qe.cxf.rs.swagger-deployment
+-- Guava 27
+-- Swagger 1.5
    +-- reflections 0.9.11
        +-- Guava 20

If you try to deploy this bundle configuration, you get the error, org.osgi.framework.BundleException: Uses constraint violation.

Reverting to Guava 20

If your project uses both Guava and Swagger libraries (directly or indirectly), you should configure the maven-bundle-plugin to use an explicit version range (or no range at all) for the Guava bundle import, as follows: 

<Import-Package>
    com.google.common.base;version="[20.0,21.0)",
    com.google.common.collect;version="[20.0,21.0)",
    com.google.common.io;version="[20.0,21.0)"
</Import-Package>

This configuration forces your OSGi application to revert to the (vulnerable) Guava 20 library. It is therefore particularly important to avoid deserializing AtomicDoubleArray instances in this case.

ENTESB-12489 Fuse Console standalone deployed to Amazon Web Services requires setting system property

If you want to deploy a standalone Fuse application to Amazon Web Services, you should disable the Fuse Console’s proxy servlet by setting the hawtio.disableProxy system property to true. This requirement applies to all supported standalone environments (Spring Boot 1.x and 2.x, Karaf, and Red Hat JBoss Enterprise Application Platform).

Note

When you disable the Fuse Console proxy servlet, the Fuse Console’s Connect tab is disabled and you cannot connect to other JVMs from the Fuse Console. If you want to deploy more than one Fuse application on AWS, you must deploy the Fuse Console for each application.

CVE-2017-12629 Solr/Lucene -security bypass to access sensitive data - CVE-2017-12629

Apache Solr is a popular open source search platform that uses the Apache Lucene search engine. If your application uses a combination of Apache Solr with Apache Lucene (for example, when using the Camel Solr component), it could be affected by this security vulnerability. Please consult the linked security advisory for more details of this vulnerability and the mitigation steps to take.

Note

The Fuse runtime does not use Apache Solr or Apache Lucene directly. The security risk only arises, if you are using Apache Solr and Apache Lucene together in the context of an integration application (for example, when using the Camel Solr component).

7.2. Fuse Online

The Fuse Online distribution has the following known issues:

ENTESB-15232 Fuse Operators don’t show up after upgrading to OCP 4.6

If you have an existing deployment of Fuse 7.7 Online (or Fuse 7.7 on OpenShift) running on OCP 4.5 and you then upgrade your OpenShift cluster to OCP 4.6, you might find that the new operator channels for Fuse 7.7 (fuse-console-7.7.x, fuse-apicurito-7.7.x, and fuse-online-7.7.x) are not visible initially.

To work around this issue, see ENTESB-15232

ENTESB-14507 Auto-discovery of Kafka brokers does not work on OpenShift 4.5

Fuse Online 7.7 uses fabric8 kubernetes 4.6.1 which is not updated with changes in the OpenShift 4.5 object model. For OpenShift 4.5, to connect to a Kafka broker, you must know the URI (in host:port format) for the Kafka broker.

On OpenShift 4.4, to enable auto-discovery of Kafka brokers see the Enabling auto-discovery of Kafka brokers/AMQ Streams section in Connecting Fuse Online to Applications and Services.

ENTESB-14237 Missing patch body in FHIR Patch operation

In Fuse 7.7, specifying the JSon Patch as described in step 7 of the procedure Updating specified fields in a resource on a FHIR server does not work, because the value of the JSon Patch is not used by the connector and the error Unable to determine encoding of patch is raised by the integration.

To work around this issue, you can instead open up the settings for JSon Patch in the Data Mapper, as described in step 9.ii, and directly set the values of the fields, op, path, and value in the Data Mapper (see also the screenshots in ENTESB-14237).

ENTESB-13074 Upgrade db fails with sampledb integration active
In Fuse 7.7, when upgrading Fuse Online from version 7.6 to version 7.7, the upgrade procedure fails, if there is a running integration that uses the PostgreSQL SAMPLEDB instance. To work around this problem, shut down any integrations connected to the PostgreSQL SAMPLEDB instance before performing the upgrade.
ENTESB-13966 Discovery of deployed integration API seems disabled but not really
In Fuse 7.7, after creating a new integration containing an API, the integration detail page wrongly implies that 3scale discovery is disabled for this integration. Additionally, the integration detail page does not show the API URL. By clicking this button three times (click Enable, then click Disable, then click Enable), you can resynchronize the page so that 3scale discovery is enabled and the API URL is displayed.
ENTESB-13272 Jaeger is disabled by default on OperatorHub
Starting in Fuse 7.6, if you install Fuse Online from OperatorHub, enhanced activity tracking (which depends on Jaeger) is disabled and cannot be re-enabled after installation, because of the related issue, ENTESB-13275. To work around this issue, install Fuse Online using the command-line script, as described in Installing Fuse Online on OCP.
ENTESB-13275 Missing Jaeger resources after OperatorHub installation
Starting in Fuse 7.6, enhanced activity tracking (which depends on Jaeger) is not properly enabled after installing Fuse Online from OperatorHub. To work around this issue, install Fuse Online using the command-line script, as described in Installing Fuse Online on OCP.
ENTESB-12072 Missing part of first activity records on OCP 4.2. in case the activity contains error
Starting in Fuse 7.6, if you install Fuse Online from OperatorHub (which causes Fuse Online to revert to an older implementation of activity tracking), there can be missing log records in first activity logged by an integration running on Fuse Online. To work around this issue, install Fuse Online using the command-line script, as described in Installing Fuse Online on OCP.
ENTESB-11407 [1.7.8] No activities after small load (~80000 messages in 20hours)
Starting in Fuse 7.6, if you install Fuse Online from OperatorHub (which causes Fuse Online to revert to an older implementation of activity tracking), the activity tracking logic can result in an exceptionally high number of dead tuples in the database used by Fuse Online to track activities. This issue causes a general slowdown in any operation that requires reads from the database, most notably accessing the list of integrations from the UI or refreshing the activities of an integration. To work around this issue, install Fuse Online using the command-line script, as described in Installing Fuse Online on OCP.
ENTESB-13110 Postgres version check runs on each reconcile even without upgrade

Starting in Fuse 7.6, the Postgres version check is performed during a fresh install, although it is only required during an upgrade. This causes spurious error messages in the log, like the following, which can be safely ignored: 

{"level":"error","ts":1583164580.847065,"logger":"configuration","msg":"Unable to determine current version of PostgreSQL running in syndesis-db pod","error":"dial tcp: lookup syndesis-db on 10.0.145.81:53: no such host"
ENTESB-12175 Camel-k integrations stay deployed even when deleted in UI
Starting in Fuse 7.5, if Camel K is enabled and you delete an integration in the UI, the Camel K integration continues to run, but isn’t displayed in Fuse Online. To work around this issue, first stop the integration in the UI and then delete it with the kamel delete command.
ENTESB-12174 API Provider running on camel-k has empty parameters
Starting in Fuse 7.5, if Camel K is enabled and you create an API Provider action that uses query parameters, the parameters are empty.
ENTESB-10577 Apicurito does not support YAML Open API spec files
Starting in Fuse 7.4 on OpenShift, Apicurito generates OpenAPI specification files in YAML format by default, but is not capable of re-importing the generated YAML file. Only JSON format can be imported into Apicurito at the moment.
ENTESB-14117 Fuse Online returns successful validation when the connector ID is unknown
When you click Validate for an API client connector, Fuse Online returns a successful validation, even if the connector ID is unknown.
ENTESB-14116 To access the Edit option for API Client Connectors you must scroll down the page
When you select an API Client Connector from the list of Connectors> API Client Connectors, Fuse Online opens the Details page for the API client Connector. However, you must then scroll down the page if you want to see the list of operations and the Edit button.
ENTESB-13854 API Client Connector wizard security fields are hidden by default
On the Specify Security page of the API Client Connector wizard, Fuse Online does not display the configure authentication options.
ENTESB-14026 SOAP Connector - WSDL file must contain only one port
If the WSDL file that you want to import contains more than one port, you must edit it to only specify one port. You can create a separate SOAP API client connector for each port by creating multiple copies of the WSDL file - each with a different port.
ENTESB-14025 SOAP Connector - WSDL file extension must be lowercase
If the WSDL file that you want to import uses an uppercase extension (.WSDL), you must change the file extension to lowercase (.wsdl). For example, download the sample.WSDL file and rename the file to sample.wsdl. Then, in the Fuse Online API Client Connectors page, you can import the sample.wsdl file.
ENTESB-14114 SOAP connector - No icon auto-generated
If you do not provide an icon for the SOAP connector, Fuse Online does not generate an icon for you.

7.3. Fuse on OpenShift

This section lists issues that affect the deployment of Fuse applications on OpenShift. For details of issues affecting specific containers, see also the sections for Spring Boot, Fuse on Apache Karaf, and Fuse on JBoss EAP. The Fuse on OpenShift distribution has the following known issues:

ENTESB-15307 FMP not working with OCP4.6

In Fuse 7.7.0, the fabric8-maven-plugin is not compatible with OpenShift Container Platform (OCP) 4.6. That is, if you try to build and deploy a Fuse 7.7.0 Maven project by invoking the mvn fabric8:deploy command, the build fails with an error like this: 

[ERROR] F8: Failed to execute the build [Unable to build the image using the OpenShift build service]
Exception in thread "OkHttp Dispatcher" java.util.concurrent.RejectedExecutionException: Task java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask@218c5d87 rejected from java.util.concurrent.ScheduledThreadPoolExecutor@15d41eae[Terminated, pool size = 0, active threads = 0, queued tasks = 0, completed tasks = 0]

This error will be fixed in Fuse 7.8.0 (see ENTESB-14511).

ENTESB-15232 Fuse Operators don’t show up after upgrading to OCP 4.6

If you have an existing deployment of Fuse 7.7 on OpenShift (or Fuse 7.7 Online) running on OCP 4.5 and you then upgrade your OpenShift cluster to OCP 4.6, you might find that the new operator channels for Fuse 7.7 (fuse-console-7.7.x, fuse-apicurito-7.7.x, and fuse-online-7.7.x) are not visible initially and only the old operator channel (alpha) is visible. This is caused by known issues in OCP 4.6 (BZ 1891993 and BZ 1891995). To work around this issue, perform the following procedure as a cluster administrator:

  1. At the command line, log into your OCP 4.6 cluster as a cluster administrator.

  2. Enter the following command: 

    oc patch operatorhub/cluster --type=merge -p '"spec": {"disableAllDefaultSources": true}'
  3. Wait until OperatorHub lists no sources (or only custom sources) for the Fuse operators.

  4. Now enter the following command: 

    oc patch operatorhub/cluster --type=merge -p '"spec": {"disableAllDefaultSources": false}'
ENTESB-14601 Fuse 7.7 on OpenShift quickstarts fail on OCP 4.4

In Fuse 7.7.0, if you follow the procedure for creating and deploying an application using the S2I source workflow, the build on OpenShift fails and in the log you can see an error message like the following: 

Caused by: org.eclipse.aether.resolution.ArtifactResolutionException: Could not find artifact org.jboss.redhat-fuse:fuse-springboot-bom:pom:7.7.0.fuse-sb2-770010-redhat-00001 in central (https://repo.maven.apache.org/maven2)

To work around this problem, we recommend that you switch to the S2I binary workflow for building the quickstarts (see Creating and deploying an application using the S2I binary workflow).

Alternatively, if you want to stick with the S2I source workflow, you can revert to an earlier version of the relevant container image by setting the parameter, BUILDER_VERSION=1.6 in the oc new-app command. Because this alternative workaround uses an older version of the container images, however, it is not recommended for use in a production environment. For example, to build the spring-boot-camel quickstart for Spring Boot 2 in the S2I source workflow, enter the following command: 

oc new-app --template=s2i-fuse77-spring-boot-2-camel -p APP_NAME=spring-boot-camel -p BUILDER_VERSION=1.6
ENTESB-14415 [Fuse Console] Hawtio is up/down continuously on Fuse OpenShift 4

In Fuse 7.7.0, the Fuse Console deployment on OpenShift becomes unstable after a while, continuously stopping and restarting accompanied by the error Liveness probe failed. This instability is caused by the Fuse Console pod exceeding its memory allocation on OpenShift. To fix the instability, modify the memory limits for the Fuse Console deployment as follows:

  1. Use the oc rollout pause command to pause automatic redeployment of the Fuse Console pod.
  2. Edit the Fuse Console’s deployment configuration (YAML file) to increase the memory allocation to 100Mi.
  3. Use the oc rollout resume command to resume automatic redeployment of the Fuse Console pod.
ENTESB-11638 Fabric8 quickstart karaf-camel-amq does not work correctly (probably missing configuration)

In Fuse 7.7.0, the README files in the Spring Boot 1 and Spring Boot 2 quickstarts for Fuse on OpenShift contain incorrect instructions for importing and using the Java image. The following command for importing the Java image: 

oc import-image fis-java-openshift:2.0 --from=registry.access.redhat.com/jboss-fuse-7/fis-java-openshift:2.0 --confirm

Should be replaced by this command: 

oc import-image fuse-java-openshift:1.7 --from=registry.redhat.io/fuse7/fuse-java-openshift:1.7 --confirm

And the following command for running the quickstart using the downloaded image: 

mvn clean -DskipTests fabric8:deploy -Popenshift -Dfabric8.generator.fromMode=istag -Dfabric8.generator.from=MY_PROJECT_NAME/fis-java-openshift:2.0

Should be replaced by this command: 

mvn clean -DskipTests fabric8:deploy -Popenshift -Dfabric8.generator.fromMode=istag -Dfabric8.generator.from=MY_PROJECT_NAME/fuse-java-openshift:1.7

But neither of the above commands need to be run if you have already pre-installed the Fuse images, as described in the installation instructions from the Fuse on OpenShift Guide.

Note

For more details about pulling Fuse images, see the Fuse for OpenShift page in the Red Hat Ecosystem Catalog.

Note

The Apache Karaf quickstarts and JBoss EAP quickstarts for Fuse on OpenShift are not affected. The summary text of ENTESB-11638 originally referred to an issue with the Apache Karaf quickstarts, but those problems have subsequently been fixed and the only remaining problem relates to the README files for the Spring Boot quickstarts.

ENTESB-12238 [SB2] Quickstarts arquillian test fail

Starting in Fuse 7.5.0, some of the Spring Boot 2 quickstarts (generated either from Maven archetypes or quickstart templates) fail to build and deploy to OpenShift. The following Spring Boot 2 Maven archetypes are affected:

  • spring-boot-camel-archetype
  • spring-boot-camel-infinspan-archetype
  • spring-boot-cxf-jaxrs-archetype
  • spring-boot-cxf-jaxws-archetype

And the following Spring Boot 2 templates:

  • spring-boot-2-camel-template
  • spring-boot-2-camel-infinspan-template
  • spring-boot-2-cxf-jaxrs-template
  • spring-boot-2-cxf-jaxws-template

To work around this issue, after generating a Maven project for one of these quickstarts, edit the project’s Maven pom.xml file to add the following dependency: 

<dependency>
  <groupId>org.assertj</groupId>
  <artifactId>assertj-core</artifactId>
  <version>2.4.1</version>
  <scope>test</scope>
</dependency>
ENTESB-10577 Apicurito does not support YAML Open API spec files
Starting in Fuse 7.4 on OpenShift, Apicurito generates OpenAPI specification files in YAML format by default, but is not capable of re-importing the generated YAML file. Only JSON format can be imported into Apicurito at the moment.

7.4. Fuse on Spring Boot

Fuse on Spring Boot has the following known issues:

7.5. Fuse on Apache Karaf

Fuse on Apache Karaf has the following known issues:

ENTESB-8140 Start level of hot deploy bundles is 80 by default

Starting in the Fuse 7.0 GA release, in the Apache Karaf container the start level of hot deployed bundles is 80 by default. This can cause problems for the hot deployed bundles, because there are many system bundles and features that have the same start level. To work around this problem and ensure that hot deployed bundles start reliably, edit the etc/org.apache.felix.fileinstall-deploy.cfg file and change the felix.fileinstall.start.level setting as follows: 

felix.fileinstall.start.level = 90
ENTESB-7664 Installing framework-security feature kills karaf

The framework-security OSGi feature must be installed using the --no-auto-refresh option, otherwise this feature will shut down the Apache Karaf container. For example: 

feature:install -v --no-auto-refresh framework-security

7.6. Fuse on JBoss EAP

Fuse on JBoss EAP has the following known issues:

ENTESB-14244 Add SOAP to Rest example that secures endpoint with Keycloak - update readme

In Fuse 7.7, there is an error in the README instructions for the new SOAP to Rest quickstart (camel-soap-rest-bridge). In the Prerequisites section, the command for installing the RH SSO EAP Adapter is given as: 

./bin/jboss-cli.sh --file=bin/adapter-elytron-install-offline.cli

But the correct command is actually: 

./bin/jboss-cli.sh --file=bin/adapter-elytron-install-offline.cli -Dserver.config=standalone-full.xml
ENTESB-13168 Camel deployment on EAP domain mode is not working on Windows
Starting in Fuse 7.6.0, for Fuse on JBoss EAP, the Camel subsystem cannot be deployed on JBoss EAP in domain mode on Windows OS.

7.7. Apache Camel

Apache Camel has the following known issues:

ENTESB-11060 [camel-linkedin] V1 API is no longer supported
Since Fuse 7.4.0, the Camel LinkedIn component is no longer able to communicate with the LinkedIn server, because it is implemented using the LinkedIn Version 1.0 API, which is no longer supported by LinkedIn. The Camel LinkedIn component will be updated to use the Version 2 API in a future release of Fuse.
ENTESB-7469 Camel Docker component cannot use Unix socket connections on EAP
Since Fuse 7.0, the camel-docker component can connect to Docker only through its REST API, not through UNIX sockets.
ENTESB-5231 PHP script language does not work
The PHP scripting language is not supported in Camel applications on the Apache Karaf container, because there is no OSGi bundle available for PHP.
ENTESB-5232 Python language does not work
The Python scripting language is not supported in Camel applications on the Apache Karaf container, because there is no OSGi bundle available for Python.
ENTESB-2443 Google Mail API - Sending of messages and drafts is not synchronous
When you send a message or draft, the response contains a Message object with an ID. It may not be possible to immediately get this message via another call to the API. You may have to wait and retry the call.
ENTESB-2332 Google Drive API JSON response for changes returns bad count of items for the first page
Google Drive API JSON response for changes returns bad count of items for the first page. Setting maxResults for a list operation may not return all the results in the first page. You may have to go through several pages to get the complete list (that is by setting pageToken on new requests).