Bug#929266: axis: CVE-2019-0227
Sylvain Beucler
beuc at beuc.net
Fri May 24 08:09:35 BST 2019
Hi!
On Thu, May 23, 2019 at 11:42:51PM +0200, Markus Koschany wrote:
> On Mon, 20 May 2019 12:20:31 +0200 Sylvain Beucler <beuc at beuc.net> wrote:
> > Package: axis
> > X-Debbugs-CC: team at security.debian.org
> > Tags: security
> >
> > The following vulnerability was published for axis.
> >
> > CVE-2019-0227[0]:
> > | A Server Side Request Forgery (SSRF) vulnerability affected the Apache
> > | Axis 1.4 distribution that was last released in 2006. Security and bug
> > | commits commits continue in the projects Axis 1.x Subversion
> > | repository, legacy users are encouraged to build from source. The
> > | successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not
> > | vulnerable to this issue.
> >
> > The vulnerable 'StockQuoteService.jws' is not present in Debian binary
> > packages, however a SSRF mitigation was also committed [1].
>
> I believe the SSRF mitigation should be viewed in the context of the
> vulnerable StockQuoteService.jws file.
AFAIU the vulnerable StockQuoteService.jws is fixed by its removal,
and similar XMLUtils-based services need the mitigation.
In either case the root SSRF issue is not fixed.
> Since we don't ship this file in
> our binary packages, I think it is correct to mark the issue as
> unimportant. However I agree it is sensible to change
> uconn.setInstanceFollowRedirects(true) to
> uconn.setInstanceFollowRedirects(false).
>
> I don't think it is likely that this issue is somehow exploited when
> using our Debian package. We use axis mainly as a build-dependency for
> other packages. We could change the default for
> uconn.setInstanceFollowRedirects in Buster but keep it this way in
> Jessie and Stretch.
I trust your judgement on this.
> It is nice to know that there is ongoing work on axis1. I think we could
> update this package after the freeze and track the new upstream
> development at
>
> https://github.com/apache/axis1-java/
The canonical repo is at
https://svn.apache.org/viewvc/axis/axis1/java/trunk/
(it would be good it Apache updated their SVN page..)
Cheers!
Sylvain
More information about the pkg-java-maintainers
mailing list