Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2010.0153
A vulnerability has been identified in Apache Axis2 prior to
versions 1.5.2 and 1.6.
24 June 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Apache Axis2 prior to 1.5.2 and 1.6
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Resolution: Mitigation
CVE Names: CVE-2010-1632
Member content until: Saturday, July 24 2010
Reference: ESB-2010.0553
OVERVIEW
A vulnerability has been identified in Apache Axis2 prior to versions
1.5.2 and 1.6.
IMPACT
The vendor has provided the following description for this
vulnerability, which has been assigned CVE-2010-1632:
"The vulnerability described in this advisory may allow an attacker to
read arbitrary files on the file system of the node where Axis2 runs,
provided that the account running the Axis2 instance has access to
these files and that Java 2 security is not used to prevent file system
access. An attacker may also be able to retrieve unsecured resources
from the network if they are reachable from the Axis2 instance with
URLs that are recognized by the Java runtime. However, to do so, the
attacker needs to create a specially crafted request that requires
knowledge about the services deployed on the Axis2 instance. Therefore,
this vulnerability cannot be exploited in an automated way.
The vulnerability may also allow the attacker to check the file system
of the server (resp. network resources reachable by the server) for
the existence of certain files (resp. resources), as well as to carry
out Denial of Service attacks. These attacks dont require knowledge
about the services deployed on Axis2 and may thus be exploited using
scripting." [1]
MITIGATION
The vendor recommends upgrading to the latest version of Axis2,
however at the time of this publication, neither Axis2 1.5.2 nor
Axis2 1.6 has been released. In the interim, the vendor recommends
applying a fix which is available from:
https://svn.apache.org/repos/asf/axis/axis2/java/core/security/secfix-cve-2010-1632 [1]
REFERENCES
[1] Apache Axis2 Security Advisory (CVE-2010-1632)
https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFMIrt+/iFOrG6YcBERAiJcAJ9SrwumYXCnn2XUWxbPgFhlml0JuACfSifQ
9zeJq8bTWZfUQNA5rd0ugiA=
=gnDD
-----END PGP SIGNATURE-----