Fwd: Axis 1.3 and CVE-2010-1632

[Dariusz Kordonski <dk...@atlassian.com>]

Hi there,

tried to deliver the below message to the Axis (original Axis) mailing
group, but is seems that the only active group is this one? Hope that
somebody here can help me sort out my questions (or direct to the correct
mailing group). Thanks!

Best regards,
Dariusz Kordonski [Atlassian]

---------- Forwarded message ----------
From: Dariusz Kordonski <dk...@atlassian.com>
Date: 20 July 2010 16:20
Subject: Axis 1.3 and CVE-2010-1632
To: axis-dev@ws.apache.org


Hi,

we have recently been inquired about
https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdfand
if it affects our product (Atlassian JIRA).

This security advisory refers to vulnerabilities in Axis2 that result from
processing (under some conditions) of DTD references by the Axis2 XML
parser. The document also clarifies (page 2) that Axis v1.4 is not affected
by this, as it immediately rejects any requests containing a DOCTYPE
declaration.

Unfortunately, Atlassian JIRA uses Axis in version *1.3* as a foundation for
its SOAP API, and, although we are quite certain this version remains
unaffected too, we were unable to find any official statement confirming our
assumptions. We performed some simple tests by means of sending requests
with the following declaration:
<!DOCTYPE createIssue [
<!ENTITY file SYSTEM "/etc/hosts">
]>

included at the beginning of the SOAP request. As a result we received:

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<soapenv:Fault>
<faultcode>soapenv:Server.userException</faultcode>
<faultstring>org.xml.sax.SAXException: Processing instructions are not
allowed within SOAP messages</faultstring>
<detail>
<faultData xsi:type="ns1:SAXException" xmlns:ns1="http://sax.xml.org">
<cause xsi:type="ns2:Throwable" xsi:nil="true" xmlns:ns2="http://lang.java
"/>
<exception xsi:type="ns3:Exception" xsi:nil="true" xmlns:ns3="
http://lang.java"/>
<message xsi:type="xsd:string">Processing instructions are not allowed
within SOAP messages</message>
</faultData>
<ns4:hostname xmlns:ns4="http://xml.apache.org/axis/
">notresspassing</ns4:hostname>
</detail>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>

which seems to be confirming that Axis v1.3 is indeed protected against this
particular exploit. We are, however, not quite sure if this kind of test is
enough. Can you therefore confirm that Axis 1.3 exposes the same level of
protection against the above exploit as Axis 1.4 does? Alternatively, what
other kind of tests should we perform to make sure it does?

Best regards,
Dariusz Kordonski [Atlassian]

Re: Axis 1.3 and CVE-2010-1632

[Dariusz Kordonski <dk...@atlassian.com>]

Thanks a lot for the explanation Andreas! I think we can consider Axis 1.3
safe then.

Regards,
Dariusz

On 21 July 2010 06:37, Andreas Veithen <an...@gmail.com> wrote:

> Dariusz,
>
> The statement in the advisory is based on a test I did on a service
> implemented with Axis 1.4 and on a statement from one of the
> developers of Axis that they identified and fixed this vulnerability
> some years ago. I did not do a code analysis of Axis and I did not do
> a test on any other version of Axis. If you used the exploits
> described in the advisory to test Axis 1.3 and that test gives the
> result you describe, then that version should be considered safe.
>
> Andreas
>
> On Tue, Jul 20, 2010 at 09:33, Dariusz Kordonski
> <dk...@atlassian.com> wrote:
> > Hi there,
> > tried to deliver the below message to the Axis (original Axis) mailing
> > group, but is seems that the only active group is this one? Hope that
> > somebody here can help me sort out my questions (or direct to the correct
> > mailing group). Thanks!
> > Best regards,
> > Dariusz Kordonski [Atlassian]
> > ---------- Forwarded message ----------
> > From: Dariusz Kordonski <dk...@atlassian.com>
> > Date: 20 July 2010 16:20
> > Subject: Axis 1.3 and CVE-2010-1632
> > To: axis-dev@ws.apache.org
> >
> >
> > Hi,
> > we have recently been inquired
> > about
> https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf
> > and if it affects our product (Atlassian JIRA).
> > This security advisory refers to vulnerabilities in Axis2 that result
> from
> > processing (under some conditions) of DTD references by the Axis2 XML
> > parser. The document also clarifies (page 2) that Axis v1.4 is not
> affected
> > by this, as it immediately rejects any requests containing a DOCTYPE
> > declaration.
> > Unfortunately, Atlassian JIRA uses Axis in version *1.3* as a foundation
> for
> > its SOAP API, and, although we are quite certain this version remains
> > unaffected too, we were unable to find any official statement confirming
> our
> > assumptions. We performed some simple tests by means of sending requests
> > with the following declaration:
> > <!DOCTYPE createIssue [
> > <!ENTITY file SYSTEM "/etc/hosts">
> > ]>
> > included at the beginning of the SOAP request. As a result we received:
> > <?xml version="1.0" encoding="utf-8"?>
> > <soapenv:Envelope xmlns:soapenv="
> http://schemas.xmlsoap.org/soap/envelope/"
> > xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> > <soapenv:Body>
> > <soapenv:Fault>
> > <faultcode>soapenv:Server.userException</faultcode>
> > <faultstring>org.xml.sax.SAXException: Processing instructions are not
> > allowed within SOAP messages</faultstring>
> > <detail>
> > <faultData xsi:type="ns1:SAXException" xmlns:ns1="http://sax.xml.org">
> > <cause xsi:type="ns2:Throwable" xsi:nil="true"
> > xmlns:ns2="http://lang.java"/>
> > <exception xsi:type="ns3:Exception" xsi:nil="true"
> > xmlns:ns3="http://lang.java"/>
> > <message xsi:type="xsd:string">Processing instructions are not allowed
> > within SOAP messages</message>
> > </faultData>
> > <ns4:hostname
> > xmlns:ns4="http://xml.apache.org/axis/">notresspassing</ns4:hostname>
> > </detail>
> > </soapenv:Fault>
> > </soapenv:Body>
> > </soapenv:Envelope>
> > which seems to be confirming that Axis v1.3 is indeed protected against
> this
> > particular exploit. We are, however, not quite sure if this kind of test
> is
> > enough. Can you therefore confirm that Axis 1.3 exposes the same level of
> > protection against the above exploit as Axis 1.4 does? Alternatively,
> what
> > other kind of tests should we perform to make sure it does?
> > Best regards,
> > Dariusz Kordonski [Atlassian]
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
> For additional commands, e-mail: java-user-help@axis.apache.org
>
>

Re: Axis 1.3 and CVE-2010-1632

[Andreas Veithen <an...@gmail.com>]

Dariusz,

The statement in the advisory is based on a test I did on a service
implemented with Axis 1.4 and on a statement from one of the
developers of Axis that they identified and fixed this vulnerability
some years ago. I did not do a code analysis of Axis and I did not do
a test on any other version of Axis. If you used the exploits
described in the advisory to test Axis 1.3 and that test gives the
result you describe, then that version should be considered safe.

Andreas

On Tue, Jul 20, 2010 at 09:33, Dariusz Kordonski
<dk...@atlassian.com> wrote:
> Hi there,
> tried to deliver the below message to the Axis (original Axis) mailing
> group, but is seems that the only active group is this one? Hope that
> somebody here can help me sort out my questions (or direct to the correct
> mailing group). Thanks!
> Best regards,
> Dariusz Kordonski [Atlassian]
> ---------- Forwarded message ----------
> From: Dariusz Kordonski <dk...@atlassian.com>
> Date: 20 July 2010 16:20
> Subject: Axis 1.3 and CVE-2010-1632
> To: axis-dev@ws.apache.org
>
>
> Hi,
> we have recently been inquired
> about https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf
> and if it affects our product (Atlassian JIRA).
> This security advisory refers to vulnerabilities in Axis2 that result from
> processing (under some conditions) of DTD references by the Axis2 XML
> parser. The document also clarifies (page 2) that Axis v1.4 is not affected
> by this, as it immediately rejects any requests containing a DOCTYPE
> declaration.
> Unfortunately, Atlassian JIRA uses Axis in version *1.3* as a foundation for
> its SOAP API, and, although we are quite certain this version remains
> unaffected too, we were unable to find any official statement confirming our
> assumptions. We performed some simple tests by means of sending requests
> with the following declaration:
> <!DOCTYPE createIssue [
> <!ENTITY file SYSTEM "/etc/hosts">
> ]>
> included at the beginning of the SOAP request. As a result we received:
> <?xml version="1.0" encoding="utf-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Body>
> <soapenv:Fault>
> <faultcode>soapenv:Server.userException</faultcode>
> <faultstring>org.xml.sax.SAXException: Processing instructions are not
> allowed within SOAP messages</faultstring>
> <detail>
> <faultData xsi:type="ns1:SAXException" xmlns:ns1="http://sax.xml.org">
> <cause xsi:type="ns2:Throwable" xsi:nil="true"
> xmlns:ns2="http://lang.java"/>
> <exception xsi:type="ns3:Exception" xsi:nil="true"
> xmlns:ns3="http://lang.java"/>
> <message xsi:type="xsd:string">Processing instructions are not allowed
> within SOAP messages</message>
> </faultData>
> <ns4:hostname
> xmlns:ns4="http://xml.apache.org/axis/">notresspassing</ns4:hostname>
> </detail>
> </soapenv:Fault>
> </soapenv:Body>
> </soapenv:Envelope>
> which seems to be confirming that Axis v1.3 is indeed protected against this
> particular exploit. We are, however, not quite sure if this kind of test is
> enough. Can you therefore confirm that Axis 1.3 exposes the same level of
> protection against the above exploit as Axis 1.4 does? Alternatively, what
> other kind of tests should we perform to make sure it does?
> Best regards,
> Dariusz Kordonski [Atlassian]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org