This is an automated email from the ASF dual-hosted git repository. robertlazarski pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git
commit 20f78ca33f51d7375a008e3b385b9ae73695536a Author: Robert Lazarski <[email protected]> AuthorDate: Mon Jun 1 09:35:44 2026 -1000 Address Gemini review findings for Glasswing threat model - Clarify Rampart module boundary: integration bypass is in-scope - Remove sensitive details from clustering CVE section - Add admin console as high-priority scan area in AGENTS.md Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> --- AGENTS.md | 12 +++++++++++- SECURITY.md | 24 ++++++++++++------------ 2 files changed, 23 insertions(+), 13 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index f1345b6f36..bcd75ca84b 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -66,7 +66,17 @@ Key files: - `modules/kernel/src/org/apache/axis2/builder/MultipartFormDataBuilder.java` - `modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java` -### 5. HTTP Transport Entry Points +### 5. Admin Console (webapp) + +The admin console has a history of web vulnerabilities (CVE-2010-3981: +CSRF/XSS). Scan for common web security issues including authentication, +authorization, session management, and input validation. + +Key files: +- `modules/webapp/src/main/java/org/apache/axis2/webapp/` +- `modules/webapp/src/main/webapp/axis2-web/` + +### 6. HTTP Transport Entry Points The HTTP transport is the primary attack surface. Scan for header injection, request smuggling, and URI parsing issues. diff --git a/SECURITY.md b/SECURITY.md index 6f1c49a281..baf83207d8 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -67,8 +67,10 @@ WildFly) or embedded via Spring Boot. visible. This is documented behavior controllable via `axis2.xml`. - **Denial of service at the network level.** SYN floods, slowloris, or transport-layer attacks are mitigated by the servlet container, not Axis2. -- **Vulnerabilities in optional, external modules.** Rampart (WS-Security) - is a separate repository with its own security process. +- **Vulnerabilities *within* optional, external modules.** For example, + a flaw in Rampart's cryptographic implementation would be handled by + the Rampart project. However, a flaw in Axis2's handler pipeline that + allows the Rampart module to be bypassed *is* a vulnerability in Axis2. ## Architecture and Attack Surface @@ -156,16 +158,14 @@ weight these areas accordingly. ### 1. Deserialization of Untrusted Data (most severe) -**Clustering feature (removed in 2.0.1):** -The Axis2 clustering module reused Apache Tribes for inter-node -communication without enabling Tribes' encryption. An attacker with -network access to port 4000 could send crafted serialized Java objects -to `Axis2ChannelListener#messageReceived`, achieving RCE via standard -deserialization gadget chains (e.g., commons-collections -`InvokerTransformer`). Reported by Huawei security team (May 2025). -Resolved by complete removal of the clustering module in 40+ files -([AXIS2-6097](https://issues.apache.org/jira/browse/AXIS2-6097), -commit `e6f53b230b`). CVE pending publication with 2.0.1 release. +**Clustering module (removed):** +A previous version of Axis2 included a clustering module for multi-node +coordination using Apache Tribes. This module exposed a network listener +that deserialized Java objects from untrusted network streams without +validation, enabling Remote Code Execution (RCE) via standard +deserialization gadget chains. Resolved by complete removal of the +clustering module in 40+ files +([AXIS2-6097](https://issues.apache.org/jira/browse/AXIS2-6097)). **Lesson:** Any `ObjectInputStream.readObject()` on network input is a critical-severity finding. The remaining use of Java serialization in
