This is an automated email from the ASF dual-hosted git repository. robertlazarski pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git
commit 19089eb7b0283a483a36e0150409cd5006be46a4 Author: Robert Lazarski <[email protected]> AuthorDate: Mon Jun 1 09:29:09 2026 -1000 Add security threat model and AGENTS.md for Glasswing scan ASF Security Team's Glasswing program requires a security/threat model and AGENTS.md before running AI-driven vulnerability scans. Documents roles, trust levels, security boundaries, attack surface by component, CVE history (clustering deserialization, XXE/SSRF, dependency CVEs), and existing hardening measures. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> --- AGENTS.md | 101 +++++++++++++++++++++++++ SECURITY.md | 243 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 344 insertions(+) diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000000..f1345b6f36 --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,101 @@ +# AGENTS.md — Apache Axis2/Java + +## Security Threat Model + +See [SECURITY.md](SECURITY.md) for the full threat model, including: + +- Project description and architecture +- Roles and trust levels (server admin, service deployer, authenticated/anonymous client) +- Security boundaries: what is and is not a security issue +- Attack surface by component (XML parsers, WSDL imports, JSON, deserialization, file uploads, hot-deployment) +- CVE history and lessons learned (deserialization, XXE/SSRF, dependency CVEs) +- Existing hardening measures + +## High-Priority Scan Areas + +Based on Axis2's CVE history, the following areas deserve the most scrutiny: + +### 1. Deserialization (historically most severe) + +The clustering module was removed due to unvalidated `ObjectInputStream` +deserialization on network input. Scan for any remaining paths where +`ObjectInputStream.readObject()` processes data reachable from untrusted +input. The known remaining use is `SafeObjectInputStream` (whitelist-based) +in context externalization — verify the whitelist is complete and not +bypassable. + +Key files: +- `modules/kernel/src/org/apache/axis2/context/externalize/SafeObjectInputStream.java` + +### 2. XML Parsing (XXE/SSRF via third-party libraries) + +wsdl4j and xmlschema-core create their own XML parser factories without +XXE hardening. Axis2 wraps these with `SecureWSDLLocator` and hardened +URI resolvers. Scan for any XML parsing path — especially through +transitive dependencies — that bypasses this wrapping. + +Key files: +- `modules/kernel/src/org/apache/axis2/util/SecureWSDLLocator.java` +- `modules/kernel/src/org/apache/axis2/util/XMLUtils.java` +- `modules/kernel/src/org/apache/axis2/util/DefaultEntityResolver.java` +- `modules/kernel/src/org/apache/axis2/deployment/resolver/AARFileBasedURIResolver.java` +- `modules/kernel/src/org/apache/axis2/deployment/resolver/WarFileBasedURIResolver.java` +- `modules/kernel/src/org/apache/axis2/deployment/resolver/AARBasedWSDLLocator.java` +- `modules/kernel/src/org/apache/axis2/deployment/resolver/WarBasedWSDLLocator.java` + +### 3. JSON Processing + +JSON-RPC is the primary protocol for production deployments. Scan the +JSON message builder and dispatcher for: +- Deep nesting / stack exhaustion (CVE-2024-57699 pattern) +- Method name injection in JSON-RPC dispatch +- Type confusion in JSON-to-Java object mapping +- Large payload resource exhaustion + +Key files: +- `modules/kernel/src/org/apache/axis2/json/` (JSON builders and formatters) +- `modules/kernel/src/org/apache/axis2/dispatchers/` (JSON-based dispatcher) + +### 4. Multipart/File Upload + +Migrated from commons-fileupload 1.x to commons-fileupload2 for +CVE-2023-24998. Verify the migration is complete and no legacy code +paths remain. + +Key files: +- `modules/kernel/src/org/apache/axis2/builder/MultipartFormDataBuilder.java` +- `modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java` + +### 5. HTTP Transport Entry Points + +The HTTP transport is the primary attack surface. Scan for header +injection, request smuggling, and URI parsing issues. + +Key files: +- `modules/transport/http/src/main/java/org/apache/axis2/transport/http/AxisServlet.java` +- `modules/transport/http/src/main/java/org/apache/axis2/transport/http/HTTPWorker.java` + +## Project Structure + +``` +modules/ + kernel/ Core engine: message pipeline, handlers, deployment, + XML parsing, dispatchers, context, JSON processing + transport/ Pluggable transports: HTTP, local, JMS, TCP, UDP, mail + webapp/ Admin console WAR + addressing/ WS-Addressing module + openapi/ OpenAPI + Swagger UI + MCP catalog generation + fuzz/ Jazzer fuzz targets (XML, JSON, HTTP headers, URLs) + samples/ Sample services including Spring Boot deployments +systests/ Integration tests +``` + +## Testing and Fuzzing + +Fuzz targets exist in `modules/fuzz/` covering XML, JSON, HTTP header, +and URL parsers. See `src/site/xdoc/docs/OSS-FUZZ.md` for details. +Axis2/C has an active Google OSS-Fuzz integration. + +## Reporting + +Security vulnerabilities: **[email protected]** diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..6f1c49a281 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,243 @@ +# Security Threat Model — Apache Axis2/Java + +## Project Description + +Apache Axis2/Java is a SOAP and REST web services engine. It provides a +message-processing pipeline with pluggable transports (HTTP/HTTPS, JMS, TCP, +local), a module system for cross-cutting concerns (WS-Security via Rampart, +WS-Addressing), hot-deployment of service archives (AAR/MAR), and +multi-protocol serving (JSON-RPC, REST/OpenAPI, MCP) from a single service +deployment. It runs inside a Jakarta Servlet container (Tomcat, Jetty, +WildFly) or embedded via Spring Boot. + +## Roles and Trust Levels + +| Role | Trust Level | Description | +|------|-------------|-------------| +| **Server Administrator** | Fully trusted | Configures `axis2.xml`, deploys/removes modules and services, controls the servlet container. Has filesystem and JVM-level access. | +| **Service Deployer** | Trusted | Drops AAR archives into `WEB-INF/services/`. May be the same person as the administrator, or a CI pipeline. | +| **Module Developer** | Trusted | Builds and deploys MAR module archives that add handlers to the processing pipeline. Code executes with full JVM privileges. | +| **Authenticated Client** | Partially trusted | A remote caller whose identity has been verified by the servlet container, a servlet filter, or a WS-Security module (Rampart). Authorized actions depend on the application. | +| **Anonymous Client** | Untrusted | A remote caller with no credentials. Can reach any endpoint exposed by the HTTP transport. All input is hostile. | + +## Security Boundaries + +### What IS a security issue + +- **Remote Code Execution (RCE)** via the Axis2 framework itself — not + through user-written service logic. +- **XML External Entity (XXE) injection** — the framework's XML parsers + resolve external entities or allow DOCTYPE declarations from untrusted + input, enabling file read, SSRF, or denial of service. +- **Server-Side Request Forgery (SSRF)** — an attacker causes the server + to make requests to arbitrary internal or external hosts through framework + features such as WSDL/XSD import resolution, endpoint references, or + transport senders. +- **Deserialization of untrusted data** — framework-level Java object + deserialization that can be triggered by remote input without a class + whitelist. This was historically the most severe class of vulnerability + in Axis2 (see CVE history below). +- **Denial of Service via parser abuse** — billion-laughs XML bombs, deeply + nested JSON, or other input that causes unbounded memory or CPU + consumption inside framework-level parsers. +- **Authentication or authorization bypass** — a flaw in the handler/phase + pipeline that allows a message to skip an engaged security module. +- **Information disclosure of server internals** — stack traces, class + names, or configuration details leaked to unauthenticated callers through + fault messages or metadata endpoints when exposure has been disabled. +- **Path traversal** — a crafted service name, URI component, or WSDL + import location that allows reading or writing files outside expected + directories. +- **Multipart/file upload abuse** — unbounded file counts or sizes via + multipart form data that exhaust server resources. + +### What is NOT a security issue + +- **Vulnerabilities in user-written services.** SQL injection, broken + access control, or insecure business logic in a deployed service are the + service author's responsibility. +- **Missing authentication on endpoints.** Axis2 does not ship built-in + authentication. Securing endpoints is the responsibility of the servlet + container, servlet filters, or engaged security modules (Rampart). +- **Hot-deployment with weak filesystem permissions.** If an attacker has + write access to `WEB-INF/services/` or `WEB-INF/modules/`, they can + deploy arbitrary code. This is an OS/container configuration issue. +- **Service enumeration via `/services/` listing.** When + `exposeServiceMetadata` is `true` (the default), service names are + visible. This is documented behavior controllable via `axis2.xml`. +- **Denial of service at the network level.** SYN floods, slowloris, or + transport-layer attacks are mitigated by the servlet container, not Axis2. +- **Vulnerabilities in optional, external modules.** Rampart (WS-Security) + is a separate repository with its own security process. + +## Architecture and Attack Surface + +### Message Processing Pipeline + +``` +Remote Client (untrusted input) + | + v +Servlet Container (TLS termination, optional authentication) + | + v +AxisServlet / HTTPWorker <-- HTTP entry point + | + v +MessageContext created <-- request metadata captured + | + v +Transport-In Phase <-- transport-level handlers + | + v +Dispatchers <-- route to service/operation + (URI, SOAPAction, WS-Addressing, JSON method, HTTP location) + | + v +Handler Phases <-- global + per-service handlers + (security modules like Rampart execute here) + | + v +Message Builder <-- deserialize body + (SOAP, XML, JSON, MTOM, multipart/form-data) + | + v +MessageReceiver <-- invoke service method + | + v +Response Phases + Transport-Out <-- serialize response, send +``` + +### URL Patterns + +Axis2 exposes the following URL patterns from the servlet mapping: + +| Pattern | Purpose | Trust Requirement | +|---------|---------|-------------------| +| `/services/{ServiceName}` | JSON-RPC and SOAP service invocation | Application-defined | +| `/services/{ServiceName}/{Operation}` | REST-style per-operation invocation | Application-defined | +| `/services/{ServiceName}?wsdl` | WSDL metadata retrieval | Anonymous (if `exposeServiceMetadata=true`) | +| `/services/{ServiceName}?xsd` | XML Schema retrieval | Anonymous (if `exposeServiceMetadata=true`) | +| `/services/` | Service listing | Anonymous (if `exposeServiceMetadata=true`) | +| `/openapi.json` | OpenAPI 3.0 schema (if OpenAPI module engaged) | Anonymous | +| `/swagger-ui` | Swagger UI (if OpenAPI module engaged) | Anonymous | +| `/openapi-mcp.json` | MCP tool catalog (if OpenAPI module engaged) | Anonymous | + +### Attack Surface by Component + +| Component | Threats | Mitigations | +|-----------|---------|-------------| +| **XML parsers** (AXIOM/StAX, DocumentBuilderFactory) | XXE, billion laughs, entity expansion DoS | DOCTYPE disallowed; external entities disabled; `DefaultEntityResolver` returns empty source | +| **WSDL/XSD import resolution** (wsdl4j, xmlschema-core) | XXE in imported documents; SSRF via `file://`/`gopher://` schemes | `SecureWSDLLocator` pre-validates with hardened SAX parser; protocol whitelist (HTTP/HTTPS only); size limit (10MB default); connect/read timeouts; relative-path SSRF bypass blocked | +| **JSON parser** (Gson) | Deep nesting stack exhaustion, large payload DoS | Fuzz-tested (1.7M+ iterations); Gson nesting limits | +| **JSON-RPC dispatch** | Method name injection; unexpected operation invocation | Method names validated against deployed operations; unknown methods return fault | +| **Multipart/file upload** (commons-fileupload2) | Unbounded file count DoS (CVE-2023-24998 pattern) | Migrated from commons-fileupload 1.x to commons-fileupload2 which enforces file count limits | +| **Service dispatchers** | Routing to unintended service; header spoofing | Dispatchers validate service existence; unknown services return fault | +| **Hot-deployment** (DeploymentEngine) | Malicious AAR/MAR deploys arbitrary code | Trust boundary is filesystem access; no signature verification (admin operation) | +| **Context externalization** (SafeObjectInputStream) | Java deserialization gadget chains | Whitelist-based `SafeObjectInputStream`; restricted to known Axis2 context classes | +| **Metadata endpoints** (`?wsdl`, `?xsd`, `/services/`) | Service enumeration, schema disclosure | Controllable via `exposeServiceMetadata` parameter | +| **MTOM/attachment handling** | Large attachment DoS, temp file exhaustion | Streaming processing; `TempFileManager` cleanup | +| **`?fields=` query parameter** (field selection, if enabled) | Reflection-based field filtering on response objects | Field names validated against declared response type; no dynamic class loading | + +### Transports + +| Transport | Security Notes | +|-----------|----------------| +| HTTP/HTTPS | TLS handled by servlet container. No framework-level auth. Primary production transport. | +| Local (in-JVM) | No network exposure. JVM-level isolation only. | +| JMS | Authentication delegated to JMS broker. | +| TCP | Raw sockets. No encryption or authentication. Trusted networks only. | +| UDP | No encryption, no authentication, no reliability. Trusted networks only. | + +## CVE History and Lessons Learned + +Axis2's CVE history concentrates in three categories. The scan should +weight these areas accordingly. + +### 1. Deserialization of Untrusted Data (most severe) + +**Clustering feature (removed in 2.0.1):** +The Axis2 clustering module reused Apache Tribes for inter-node +communication without enabling Tribes' encryption. An attacker with +network access to port 4000 could send crafted serialized Java objects +to `Axis2ChannelListener#messageReceived`, achieving RCE via standard +deserialization gadget chains (e.g., commons-collections +`InvokerTransformer`). Reported by Huawei security team (May 2025). +Resolved by complete removal of the clustering module in 40+ files +([AXIS2-6097](https://issues.apache.org/jira/browse/AXIS2-6097), +commit `e6f53b230b`). CVE pending publication with 2.0.1 release. + +**Lesson:** Any `ObjectInputStream.readObject()` on network input is a +critical-severity finding. The remaining use of Java serialization in +Axis2 is `SafeObjectInputStream` for context externalization, which uses +a class whitelist. + +### 2. XML Parsing (XXE/SSRF) + +**CVE-2010-1632:** DTD/XXE in MTOMBuilder flow. Fixed by strictly +forbidding DOCTYPE declarations in SOAP and XML requests. + +**WSDL import parsing:** wsdl4j 1.6.3 creates its own +`DocumentBuilderFactory` without XXE hardening. Axis2 mitigates this +with `SecureWSDLLocator` (pre-validates imported documents with a +hardened SAX parser, rejects DOCTYPE, protocol-whitelists to HTTP/HTTPS, +enforces size limits and timeouts) and hardened URI resolvers for +xmlschema-core imports. + +**Lesson:** Third-party XML libraries (wsdl4j, xmlschema-core) create +their own parser factories that bypass framework-level hardening. Every +XML parsing path — including transitive ones through dependency +libraries — must be audited. + +### 3. Dependency Vulnerabilities + +| CVE | Dependency | Issue | Resolution | +|-----|-----------|-------|------------| +| CVE-2010-3981 | Admin console | CSRF/XSS | Fixed in 1.7.3 | +| CVE-2012-6153, CVE-2014-3577 | Apache HttpClient | Various | Updated dependency in 1.7.4 | +| CVE-2016-1000031 | commons-fileupload | RCE via DiskFileItem | Updated dependency in 1.7.6 | +| CVE-2023-24998 | commons-fileupload 1.x | Unbounded file count DoS | Migrated to commons-fileupload2 in 2.0.0 | + +**Lesson:** Dependency-level CVEs are the most frequent class. The +migration from `commons-fileupload` 1.x to `commons-fileupload2` in +2.0.0 was specifically driven by CVE-2023-24998. + +## Existing Security Hardening + +1. **XML parsing:** All `DocumentBuilderFactory` and `SAXParserFactory` + instances created by the framework disable DTDs and external entities + (`XMLUtils.java`, `SecureWSDLLocator.java`, `DefaultEntityResolver.java`). + +2. **WSDL import security:** `SecureWSDLLocator` pre-parses imported + documents before passing them to wsdl4j. Protocol-restricted to + HTTP/HTTPS. Size-limited. Timeout-protected. Relative-path SSRF + bypass patched. + +3. **Schema import security:** URI resolvers for AAR and WAR deployments + block HTTP/HTTPS/FTP/JAR/file scheme resolution to prevent SSRF via + xmlschema-core's `DefaultURIResolver`. + +4. **Deserialization whitelist:** `SafeObjectInputStream` restricts Java + object deserialization to known Axis2 context classes. + +5. **Clustering removed:** The entire clustering module (Tribes-based + inter-node communication with unvalidated deserialization) has been + removed from the codebase. + +6. **File upload limits:** Migration to commons-fileupload2 enforces + file count limits, preventing CVE-2023-24998-style DoS. + +7. **Fault detail suppression:** `sendStacktraceDetailsWithFaults` + defaults to `false`. + +8. **Fuzz testing:** Jazzer-based fuzzers cover XML, JSON, HTTP header, + and URL parsers. 45M+ iterations with zero crashes or security + findings. See `src/site/xdoc/docs/OSS-FUZZ.md`. Axis2/C has an + active OSS-Fuzz integration. + +## Reporting Security Issues + +Report vulnerabilities to: **[email protected]** + +Follow the [Apache Security Policy](https://www.apache.org/security/). +All confirmed issues go through coordinated disclosure with CVE assignment.
