Hi there, tried to deliver the below message to the Axis (original Axis) mailing group, but is seems that the only active group is this one? Hope that somebody here can help me sort out my questions (or direct to the correct mailing group). Thanks!
Best regards, Dariusz Kordonski [Atlassian] ---------- Forwarded message ---------- From: Dariusz Kordonski <[email protected]> Date: 20 July 2010 16:20 Subject: Axis 1.3 and CVE-2010-1632 To: [email protected] Hi, we have recently been inquired about https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdfand if it affects our product (Atlassian JIRA). This security advisory refers to vulnerabilities in Axis2 that result from processing (under some conditions) of DTD references by the Axis2 XML parser. The document also clarifies (page 2) that Axis v1.4 is not affected by this, as it immediately rejects any requests containing a DOCTYPE declaration. Unfortunately, Atlassian JIRA uses Axis in version *1.3* as a foundation for its SOAP API, and, although we are quite certain this version remains unaffected too, we were unable to find any official statement confirming our assumptions. We performed some simple tests by means of sending requests with the following declaration: <!DOCTYPE createIssue [ <!ENTITY file SYSTEM "/etc/hosts"> ]> included at the beginning of the SOAP request. As a result we received: <?xml version="1.0" encoding="utf-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance";> <soapenv:Body> <soapenv:Fault> <faultcode>soapenv:Server.userException</faultcode> <faultstring>org.xml.sax.SAXException: Processing instructions are not allowed within SOAP messages</faultstring> <detail> <faultData xsi:type="ns1:SAXException" xmlns:ns1="http://sax.xml.org";> <cause xsi:type="ns2:Throwable" xsi:nil="true" xmlns:ns2="http://lang.java "/> <exception xsi:type="ns3:Exception" xsi:nil="true" xmlns:ns3=" http://lang.java"/> <message xsi:type="xsd:string">Processing instructions are not allowed within SOAP messages</message> </faultData> <ns4:hostname xmlns:ns4="http://xml.apache.org/axis/ ">notresspassing</ns4:hostname> </detail> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope> which seems to be confirming that Axis v1.3 is indeed protected against this particular exploit. We are, however, not quite sure if this kind of test is enough. Can you therefore confirm that Axis 1.3 exposes the same level of protection against the above exploit as Axis 1.4 does? Alternatively, what other kind of tests should we perform to make sure it does? Best regards, Dariusz Kordonski [Atlassian]
