Chapter 7. Known Issues

The following subsections describe the known issues in version 7.8.

7.1. CVE Security Vulnerabilities

As a middleware integration platform, Fuse can potentially be integrated with a large number of third-party components. It is not always possible to exclude the possibility that some third-party dependencies of Fuse could have security vulnerabilities. This section documents known common vulnerabilities and exposures (CVEs) related to security that affect third-party dependencies of Fuse 7.8.

ENTESB-8113 CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service [fuse-7.0.0]

Google Guava versions 11.0 through 24.1 are vulnerable to unbounded memory allocation in the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization). An attacker could exploit applications that use Guava and deserialize untrusted data to cause a denial of service — for more details, see CVE-2018-10237.

To avoid this security vulnerability, we recommend that you:

  • Never deserialize an AtomicDoubleArray instance or a CompoundOrdering instance from an unknown source.
  • Avoid using Guava versions 24 and earlier (although in some cases it is not possible to avoid the earlier versions).

To make it easier to avoid the earlier (vulnerable) versions of Guava, Fuse 7.7 has configured its Maven Bill of Materials (BOM) files for all containers to select Guava 27 by default. This means that if you incorporate a Fuse BOM into your Maven project (by adding a dependency on the BOM to the dependencyManagement section of your POM file) and then specify a dependency on the Guava artifact without specifying an explicit version, the Guava version will default to the version specified in the BOM, which is version 27 for the Fuse 7.7 BOMs.

But there is at least one common use case involving the Apache Karaf (OSGi) container, where it is not possible to avoid using a vulnerable version of Guava: if your OSGi application uses Guava and Swagger together, you are obliged to use Guava 20, because that is the version required by Swagger. Here we explain why this is the case and how to configure your POM file to revert the earlier (vulnerable) Guava 20 library. First, you need to understand the concept of a double OSGi chain.

Double OSGi chain

Bundles in the OSGi runtime are wired together using package constraints (package name + optional version/range) — imports and exports. Each bundle can have multiple imports and usually those imports wire a given bundle with multiple bundles. For example: 

BundleA
+-- BundleB
|   +-- BundleCa
+-- BundleCb

Where BundleA depends on BundleB and BundleCb, while BundleB depends on BundleCa. BundleCa and BundleCb should be the same bundle, if the export the same packages, but due to version (range) constraints, BundleB uses (wires to) a different revision/version of BundleC than BundleA.

Rewriting the preceding diagram to reflect what happens when you include dependencies on both Guava and Swagger in an application: 

org.jboss.qe.cxf.rs.swagger-deployment
+-- Guava 27
+-- Swagger 1.5
    +-- reflections 0.9.11
        +-- Guava 20

If you try to deploy this bundle configuration, you get the error, org.osgi.framework.BundleException: Uses constraint violation.

Reverting to Guava 20

If your project uses both Guava and Swagger libraries (directly or indirectly), you should configure the maven-bundle-plugin to use an explicit version range (or no range at all) for the Guava bundle import, as follows: 

<Import-Package>
    com.google.common.base;version="[20.0,21.0)",
    com.google.common.collect;version="[20.0,21.0)",
    com.google.common.io;version="[20.0,21.0)"
</Import-Package>

This configuration forces your OSGi application to revert to the (vulnerable) Guava 20 library. It is therefore particularly important to avoid deserializing AtomicDoubleArray instances in this case.

CVE-2017-12629 Solr/Lucene -security bypass to access sensitive data - CVE-2017-12629

Apache Solr is a popular open source search platform that uses the Apache Lucene search engine. If your application uses a combination of Apache Solr with Apache Lucene (for example, when using the Camel Solr component), it could be affected by this security vulnerability. Please consult the linked security advisory for more details of this vulnerability and the mitigation steps to take.

Note

The Fuse runtime does not use Apache Solr or Apache Lucene directly. The security risk only arises, if you are using Apache Solr and Apache Lucene together in the context of an integration application (for example, when using the Camel Solr component).

7.2. Fuse Online

The Fuse Online distribution has the following known issues:

ENTESB-15063 Unable to override maven repositories

In Fuse 7.8, if you are running Fuse Online in an offline (disconnected from the internet) environment and you have configured the Fuse Online custom resource (CR) to use a custom Maven repository on your local network, for example: 

...
      server:
        features:
          maven:
            append: false
            repositories:
              customRepo1: http://192.0.2.0:8080
...

Then there are particular circumstances where other Maven repositories are consulted, in addition to the specified customRepo1, in spite of the fact that the append: false flag is specified in the CR. For example, this can happen if Fuse Online is configured to use extensions that download Maven dependencies while they are building. Typically, this issue causes longer build times, because the incorrect Maven repositories are consulted before the specified custom Maven repository, which wastes time during the build process.

ENTESB-15348 Syndesis-jaeger uses unproductized image on OCP 3.11

In Fuse 7.8, if you are attempting to install Fuse Online on OCP 3.11 with the Jaeger add-on enabled (enhanced activity tracking), it is possible you might encounter the following error: 

Unknown desc = toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

This happens because the productised Jaeger container references Dockerhub images, which are out of Red Hat’s control. To work around this issue, you can either wait until rate limit window times out, or disable the Jaeger add-on.

ENTESB-15292 Creating connection from API connector prefills old values
In Fuse 7.8, if you have an existing API client connector (for example, a connector listed under Customizations > API Client Connectors) and you edit the connector to change the Base URL field in the connector definition, you will find that this change does not get reflected in any API connections that you create using this connector. That is, the Base path field of the connections you create are defaulted to the old value of Base URL, before you made the change. To work around this issue you can simply change the Base path field in the connection to the new value, instead of relying on the default value from the API client connector.
ENTESB-14518 Jaeger operator installed by Syndesis 1.11 affects other namespaces
In Fuse 7.8, when you install Fuse 7.8 Online (Syndesis 1.11) on an OpenShift cluster, the Jaeger Operator (which gets installed along with Fuse Online) is configured to manage All namespaces by default. A side effect of this behavior is that, in the case where you already have Fuse 7.7 Online (Syndesis 1.10) installed on a cluster and then you install Fuse 7.8 Online in a different namespace, the Jaeger Operator installed with Fuse 7.8 Online tries to manage the (older) Jaeger instance installed on the Fuse 7.7 Online namespace. The result is that a new syndesis-jaeger pod — in addition to the existing syndesis-jaeger pod — appears in the Fuse 7.7 Online namespace and the new syndesis-jaeger pod enters the CrashLoopBackOff state. The original Fuse 7.7 Online instance is not affected and the crashed syndesis-jaeger pod can be safely ignored.
ENTESB-14237 Missing patch body in FHIR Patch operation

Starting in Fuse 7.7, specifying the JSon Patch as described in step 7 of the procedure Updating specified fields in a resource on a FHIR server does not work, because the value of the JSon Patch is not used by the connector and the error Unable to determine encoding of patch is raised by the integration.

To work around this issue, you can instead open up the settings for JSon Patch in the Data Mapper, as described in step 9.ii, and directly set the values of the fields, op, path, and value in the Data Mapper (see also the screenshots in ENTESB-14237).

ENTESB-13966 Discovery of deployed integration API seems disabled but not really
Starting in Fuse 7.7, after creating a new integration containing an API, the integration detail page wrongly implies that 3scale discovery is disabled for this integration. Additionally, the integration detail page does not show the API URL. By clicking this button three times (click Enable, then click Disable, then click Enable), you can resynchronize the page so that 3scale discovery is enabled and the API URL is displayed.
ENTESB-14114 SOAP connector - No icon auto-generated
If you do not provide an icon for the SOAP connector, Fuse Online does not generate an icon for you.

7.3. Fuse on OpenShift

This section lists issues that affect the deployment of Fuse applications on OpenShift. For details of issues affecting specific containers, see also the sections for Spring Boot, Fuse on Apache Karaf, and Fuse on JBoss EAP. The Fuse on OpenShift distribution has the following known issues:

ENTESB-15642 Candidate permutation failed due to a conflict between imports when migrating from Fuse 7.7 to 7.8 BOM

In Fuse 7.8, if you create a Karaf custom distribution (for example, based on the Fuse 7.8 Karaf custom quickstart) and then deploy this custom distribution to OpenShift, you might encounter an OSGi import conflict involving javax.xml.bind. This import conflict occurs because the Karaf system bundles export more than one version of the JAXB API package (that is, versions 2.2 and 2.3). Standalone Apache Karaf is not affected by this, because it ensures that the proper versions (both 2.2 and 2.3) of the JAXB packages are available through system bundle (that is, bundle 0). This ensures that when other features (like CXF ones) are installed, those features don’t have to install their own JAXB API bundles, thus preventing the API conflict.

To work around this problem you should add the following line to the POM of your Karaf custom distribution: 

<library>mvn:org.apache.servicemix.specs/org.apache.servicemix.specs.jaxb-api-2.3/${version.org.apache.servicemix.specs.jaxb};type:=endorsed;export:=true</library>

Where you need to replace ${version.org.apache.servicemix.specs.jaxb} in the above example with the relevant literal version in your POM file, because properties defined in a Maven BOM file are not carried over to the POM file. To discover the relevant value of the version.org.apache.servicemix.specs.jaxb property, start with the fuse-karaf-bom BOM file referenced in the dependencyManagement section of your POM and follow the chain of recursively imported BOM files, until you find the one that contains the definition of version.org.apache.servicemix.specs.jaxb. For example, for Fuse 7.8 you can find the value of the version.org.apache.servicemix.specs.jaxb property in the https://maven.repository.redhat.com/ga/org/jboss/fuse/jboss-fuse-parent/7.8.0.fuse-780038-redhat-00001/jboss-fuse-parent-7.8.0.fuse-780038-redhat-00001.pom BOM file.

ENTESB-15472 Fuse 7.8 operators not visible in operatorhub when using OCP 4.5
In Fuse 7.8, the Fuse operators (Fuse Console, Fuse Api Designer and Fuse Online) are available on the OperatorHub only when using OCP 4.6. For versions OCP 4.5 and below the Fuse 7.8 Operators are not available on the OperatorHub. To install the Fuse 7.8 operators, the recommended upgrade path is first to upgrade OpenShift to version OCP 4.6 and then to upgrade the Fuse operators to version 7.8.
ENTESB-15034 Missing labels on Openshift Service Object in FMP quickstart spring-boot-camel-rest-3scale
In Fuse 7.8, the spring-boot-camel-rest-3scale quickstart is missing the labels and annotations that would enable the deployed service to be automatically discovered by 3scale. To work around this problem, follow the instructions in the section Criteria for a discoverable service from the 3scale Admin Portal Guide to add the missing labels and annotations manually to the service object YAML definition.
ENTESB-15317 Apicurito generator pods are not ready
In Fuse 7.8, the health check port for the Apicurito generator pod does not start up. To work around this problem, the health check has been configured to ping HTTP port 8080 (which does start up), instead of HTTP port 8181, which is usually used for the health check probe.
ENTESB-12238 [SB2] Quickstarts arquillian test fail

Starting in Fuse 7.5.0, some of the Spring Boot 2 quickstarts (generated either from Maven archetypes or quickstart templates) fail to build and deploy to OpenShift. The following Spring Boot 2 Maven archetypes are affected:

  • spring-boot-camel-archetype
  • spring-boot-camel-infinspan-archetype
  • spring-boot-cxf-jaxrs-archetype
  • spring-boot-cxf-jaxws-archetype

And the following Spring Boot 2 templates:

  • spring-boot-2-camel-template
  • spring-boot-2-camel-infinspan-template
  • spring-boot-2-cxf-jaxrs-template
  • spring-boot-2-cxf-jaxws-template

To work around this issue, after generating a Maven project for one of these quickstarts, edit the project’s Maven pom.xml file to add the following dependency: 

<dependency>
  <groupId>org.assertj</groupId>
  <artifactId>assertj-core</artifactId>
  <version>2.4.1</version>
  <scope>test</scope>
</dependency>
ENTESB-10577 Apicurito does not support YAML Open API spec files
Starting in Fuse 7.4 on OpenShift, Apicurito generates OpenAPI specification files in YAML format by default, but is not capable of re-importing the generated YAML file. Only JSON format can be imported into Apicurito at the moment.

7.4. Fuse on Apache Karaf

Fuse on Apache Karaf has the following known issues:

ENTESB-8140 Start level of hot deploy bundles is 80 by default

Starting in the Fuse 7.0 GA release, in the Apache Karaf container the start level of hot deployed bundles is 80 by default. This can cause problems for the hot deployed bundles, because there are many system bundles and features that have the same start level. To work around this problem and ensure that hot deployed bundles start reliably, edit the etc/org.apache.felix.fileinstall-deploy.cfg file and change the felix.fileinstall.start.level setting as follows: 

felix.fileinstall.start.level = 90
ENTESB-7664 Installing framework-security feature kills karaf

The framework-security OSGi feature must be installed using the --no-auto-refresh option, otherwise this feature will shut down the Apache Karaf container. For example: 

feature:install -v --no-auto-refresh framework-security

7.5. Fuse on JBoss EAP

Fuse on JBoss EAP has the following known issues:

ENTESB-15308 Camel CXF not compatible with EAP-7.3.3.GA-redhat-00004
For Fuse 7.8 on EAP, we have found that Camel CXF is not compatible with EAP version 7.3.3. To work around this problem, you can install Fuse 7.8 on EAP version 7.3.2 instead.
ENTESB-14244 Add SOAP to Rest example that secures endpoint with Keycloak - update readme

In Fuse 7.7, there is an error in the README instructions for the new SOAP to Rest quickstart (camel-soap-rest-bridge). In the Prerequisites section, the command for installing the RH SSO EAP Adapter is given as: 

./bin/jboss-cli.sh --file=bin/adapter-elytron-install-offline.cli

But the correct command is actually: 

./bin/jboss-cli.sh --file=bin/adapter-elytron-install-offline.cli -Dserver.config=standalone-full.xml
ENTESB-13168 Camel deployment on EAP domain mode is not working on Windows
Starting in Fuse 7.6.0, for Fuse on JBoss EAP, the Camel subsystem cannot be deployed on JBoss EAP in domain mode on Windows OS.

7.6. Fuse Tooling

Fuse Tooling has the following known issue:

FUSETOOLS-3393 Camel debugger automatic binding does not work with Fuse 7.8, Camel 2.25.1+ and Camel 3.2.0+

Due to the removal of the JMX RMI Connector feature from Fuse 7.8, the Camel Debugger does not work when you right-click a project and select the Debug as > Local Camel Context option. To workaround the issue, follow these steps:

  1. In the JMX navigator view, connect the process created for the Camel project.
  2. Expand the project to see the Camel node.
  3. Right-click on the Camel node and then select Edit routes.
FUSETOOLS-3393 Remote debugging is no longer supported
Due to the removal of the JMX RMI Connector feature from Fuse 7.8, using the Fuse Tooling Camel Debugger for remote debugging is not supported. For remote debugging, you must configure Jolokia and create a specific JMX connection through Jolokia.

7.7. Apache Camel

Apache Camel has the following known issues:

ENTESB-15343 XSLT component not working properly with IBM1.8 JDK
In Fuse 7.8, the Camel XSLT component does not work properly with the IBM 1.8 JDK. The problem occurs because the underlying Apache Xerces implementation of XSLT does not support the javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING property (see XERCESJ-1654).
ENTESB-11060 [camel-linkedin] V1 API is no longer supported
Since Fuse 7.4.0, the Camel LinkedIn component is no longer able to communicate with the LinkedIn server, because it is implemented using the LinkedIn Version 1.0 API, which is no longer supported by LinkedIn. The Camel LinkedIn component will be updated to use the Version 2 API in a future release of Fuse.
ENTESB-7469 Camel Docker component cannot use Unix socket connections on EAP
Since Fuse 7.0, the camel-docker component can connect to Docker only through its REST API, not through UNIX sockets.
ENTESB-5231 PHP script language does not work
The PHP scripting language is not supported in Camel applications on the Apache Karaf container, because there is no OSGi bundle available for PHP.
ENTESB-5232 Python language does not work
The Python scripting language is not supported in Camel applications on the Apache Karaf container, because there is no OSGi bundle available for Python.
ENTESB-2443 Google Mail API - Sending of messages and drafts is not synchronous
When you send a message or draft, the response contains a Message object with an ID. It may not be possible to immediately get this message via another call to the API. You may have to wait and retry the call.
ENTESB-2332 Google Drive API JSON response for changes returns bad count of items for the first page
Google Drive API JSON response for changes returns bad count of items for the first page. Setting maxResults for a list operation may not return all the results in the first page. You may have to go through several pages to get the complete list (that is by setting pageToken on new requests).