Dariusz, The statement in the advisory is based on a test I did on a service implemented with Axis 1.4 and on a statement from one of the developers of Axis that they identified and fixed this vulnerability some years ago. I did not do a code analysis of Axis and I did not do a test on any other version of Axis. If you used the exploits described in the advisory to test Axis 1.3 and that test gives the result you describe, then that version should be considered safe.
Andreas On Tue, Jul 20, 2010 at 09:33, Dariusz Kordonski <[email protected]> wrote: > Hi there, > tried to deliver the below message to the Axis (original Axis) mailing > group, but is seems that the only active group is this one? Hope that > somebody here can help me sort out my questions (or direct to the correct > mailing group). Thanks! > Best regards, > Dariusz Kordonski [Atlassian] > ---------- Forwarded message ---------- > From: Dariusz Kordonski <[email protected]> > Date: 20 July 2010 16:20 > Subject: Axis 1.3 and CVE-2010-1632 > To: [email protected] > > > Hi, > we have recently been inquired > about https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf > and if it affects our product (Atlassian JIRA). > This security advisory refers to vulnerabilities in Axis2 that result from > processing (under some conditions) of DTD references by the Axis2 XML > parser. The document also clarifies (page 2) that Axis v1.4 is not affected > by this, as it immediately rejects any requests containing a DOCTYPE > declaration. > Unfortunately, Atlassian JIRA uses Axis in version *1.3* as a foundation for > its SOAP API, and, although we are quite certain this version remains > unaffected too, we were unable to find any official statement confirming our > assumptions. We performed some simple tests by means of sending requests > with the following declaration: > <!DOCTYPE createIssue [ > <!ENTITY file SYSTEM "/etc/hosts"> > ]> > included at the beginning of the SOAP request. As a result we received: > <?xml version="1.0" encoding="utf-8"?> > <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; > xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> > <soapenv:Body> > <soapenv:Fault> > <faultcode>soapenv:Server.userException</faultcode> > <faultstring>org.xml.sax.SAXException: Processing instructions are not > allowed within SOAP messages</faultstring> > <detail> > <faultData xsi:type="ns1:SAXException" xmlns:ns1="http://sax.xml.org";> > <cause xsi:type="ns2:Throwable" xsi:nil="true" > xmlns:ns2="http://lang.java"/> > <exception xsi:type="ns3:Exception" xsi:nil="true" > xmlns:ns3="http://lang.java"/> > <message xsi:type="xsd:string">Processing instructions are not allowed > within SOAP messages</message> > </faultData> > <ns4:hostname > xmlns:ns4="http://xml.apache.org/axis/";>notresspassing</ns4:hostname> > </detail> > </soapenv:Fault> > </soapenv:Body> > </soapenv:Envelope> > which seems to be confirming that Axis v1.3 is indeed protected against this > particular exploit. We are, however, not quite sure if this kind of test is > enough. Can you therefore confirm that Axis 1.3 exposes the same level of > protection against the above exploit as Axis 1.4 does? Alternatively, what > other kind of tests should we perform to make sure it does? > Best regards, > Dariusz Kordonski [Atlassian] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
