You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Andreas Veithen <an...@gmail.com> on 2015/08/02 02:12:03 UTC
Re: apache-commons-fileupload symlink vulnerability CVE-2013-0248
For this vulnerability to be exploitable, the following conditions must be met:
1) The attacker must have shell access to the machine on which Axis2
runs with any account. Obviously the vulnerability is interesting only
if that account is unprivileged and different from the account Axis2
runs as.
2) Axis2 must be configured to use the servlet based HTTP transport
(because commons-fileupload depends on the servlet API).
3) The temporary directory as configured by the java.io.tmpdir system
property must be writable to the attacker. In practice, this means
world writable, as is the case if java.io.tmpdir is set to /tmp.
4) MultipartFormDataBuilder must be enabled. This is the case for the
default axis2.xml config file distributed with Axis2.
5) At least one Web service must be deployed on Axis2. [I'm not 100%
sure here, but this condition is trivially satisfied in most cases
anyway]
For the standalone Axis2 server, condition 3 is satisfied, but 2 is
not. Tomcat sets java.io.tmpdir to a directory that is writable only
to the user the Tomcat instance runs as. Therefore condition 2 is not
satisfied, and Axis2 deployments on Tomcat are not vulnerable. I would
expect that any decent application server behaves similar to Tomcat. A
notable exception is IBM WebSphere Application Server which doesn't
change java.io.tmpdir, so that it points to the default /tmp. This
would mean that Axis2 applications deployed on WAS will likely be
vulnerable. Note that I believe that the Axis2 version that is part of
the JAX-WS implementation in the WAS runtime is not vulnerable because
it doesn't enable MultipartFormDataBuilder.
Also note that the mitigation strategy is trivial: upgrade
commons-fileupload or disable MultipartFormDataBuilder.
Andreas
On Thu, Jul 23, 2015 at 11:41 AM, Charlie Martin
<ch...@uk.ibm.com> wrote:
> Hi,
>
> The current (v1.6.3) and previous releases of Axis2 contain the apache
> commons-fileupload-1.2.jar.
>
> This jar is flagged as being vulnerable to CVE-2013-0248
>
> Could anyone confirm if either:
>
> This vulnerability is not applicable to the use of the jar in Axis2
> If an update is planned
>
>
> Details of the vulnerability:
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0248
>
> Many thanks,
> Charlie Martin
>
>
> WebSphere MQ Development
> IBM Hursley Labs, Hursley Park, Winchester, Hants. SO21 2JN. UK.
> Email: charlie.martin@uk.ibm.com
> Tel: +44 (0) 1962 815860, Internal: 37245860
>
>
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
>
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org