You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-commits@axis.apache.org by ve...@apache.org on 2010/06/27 10:39:38 UTC
svn commit: r958350 - in /axis/axis2/java/core/security: CVE-2010-1632.pdf
advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
Author: veithen
Date: Sun Jun 27 08:39:37 2010
New Revision: 958350
URL: http://svn.apache.org/viewvc?rev=958350&view=rev
Log:
CVE-2010-1632: Updated the advisory with current information about vulnerable products and third party references.
Modified:
axis/axis2/java/core/security/CVE-2010-1632.pdf
axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
Modified: axis/axis2/java/core/security/CVE-2010-1632.pdf
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/security/CVE-2010-1632.pdf?rev=958350&r1=958349&r2=958350&view=diff
==============================================================================
Binary files - no diff available.
Modified: axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml?rev=958350&r1=958349&r2=958350&view=diff
==============================================================================
--- axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml (original)
+++ axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml Sun Jun 27 08:39:37 2010
@@ -27,7 +27,7 @@
<surname>Veithen</surname>
<email>veithen@apache.org</email>
</author>
- <releaseinfo>First version: May 16, 2010 ⢠First published: June 13, 2010 ⢠Last updated: June 13, 2010</releaseinfo>
+ <releaseinfo>First version: May 16, 2010 ⢠First published: June 13, 2010 ⢠Last updated: June 27, 2010</releaseinfo>
</articleinfo>
<section>
<title>Description</title>
@@ -134,17 +134,51 @@
<section>
<title>Other products</title>
<para>
- Axis2 is used in (or as the basis for) other products. This includes the Synapse,
- ODE, Tuscany and Geronimo projects from the ASF, as well as several commercial
- products. It is likely that these products are vulnerable as well.
+ Axis2 is used in (or as the basis for) other Open Source projects and
+ commercial products. It is likely that these products are vulnerable as well.
+ At the time of writing, the following information is available:
</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Axis2 is used by the Synapse, ODE, Tuscany and Geronimo projects
+ from the ASF and it is expected that all these projects are
+ vulnerable.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Axis2 is used as the JAX-WS implementation in WebSphere Application
+ Server 7.0 and in the Feature Pack for Web Services for WAS 6.1.
+ Both are vulnerable. See
+ <ulink url="http://www-01.ibm.com/support/docview.wss?uid=swg21433581"/>
+ for details about the affected versions.
+ </para>
+ </listitem>
+ </itemizedlist>
<para>
It is possible that Web service frameworks other than Axis2 are affected by
- similar vulnerabilities.
+ similar vulnerabilities. At the time of writing, the following information
+ is available:
</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Axis 1.4 is not vulnerable and immediately rejects any request
+ containing a DOCTYPE declaration.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ A similar vulnerability exists in Apache CXF. Please refer to
+ CVE-2010-2076 for more details.
+ </para>
+ </listitem>
+ </itemizedlist>
<para>
- The exploits described in <xref linkend="exploits"/> may be used to check
- whether a given product is vulnerable.
+ For projects and products not listed above or for which no information
+ is available, the exploits described in <xref linkend="exploits"/> may be
+ used to check for vulnerability.
</para>
</section>
</section>
@@ -466,6 +500,31 @@ expected a '<' to start a directive
initially described in JIRA report
AXIS2-4450<footnote><para><ulink url="https://issues.apache.org/jira/browse/AXIS2-4450"/></para></footnote>.
</para>
+ <para>
+ The issue is tracked by third parties with the following references:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1632">CVE-2010-1632</ulink>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <ulink url="http://secunia.com/advisories/40252">Secunia Advisory SA40252</ulink>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <ulink url="http://www.vupen.com/english/advisories/2010/1528">VUPEN/ADV-2010-1528</ulink>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <ulink url="https://bugzilla.redhat.com/show_bug.cgi?id=607118">Red Hat Bugzilla â Bug 607118</ulink>
+ </para>
+ </listitem>
+ </itemizedlist>
</section>
<section>
<title>Contact</title>