For this vulnerability to be exploitable, the following conditions must be met:
1) The attacker must have shell access to the machine on which Axis2 runs with any account. Obviously the vulnerability is interesting only if that account is unprivileged and different from the account Axis2 runs as. 2) Axis2 must be configured to use the servlet based HTTP transport (because commons-fileupload depends on the servlet API). 3) The temporary directory as configured by the java.io.tmpdir system property must be writable to the attacker. In practice, this means world writable, as is the case if java.io.tmpdir is set to /tmp. 4) MultipartFormDataBuilder must be enabled. This is the case for the default axis2.xml config file distributed with Axis2. 5) At least one Web service must be deployed on Axis2. [I'm not 100% sure here, but this condition is trivially satisfied in most cases anyway] For the standalone Axis2 server, condition 3 is satisfied, but 2 is not. Tomcat sets java.io.tmpdir to a directory that is writable only to the user the Tomcat instance runs as. Therefore condition 2 is not satisfied, and Axis2 deployments on Tomcat are not vulnerable. I would expect that any decent application server behaves similar to Tomcat. A notable exception is IBM WebSphere Application Server which doesn't change java.io.tmpdir, so that it points to the default /tmp. This would mean that Axis2 applications deployed on WAS will likely be vulnerable. Note that I believe that the Axis2 version that is part of the JAX-WS implementation in the WAS runtime is not vulnerable because it doesn't enable MultipartFormDataBuilder. Also note that the mitigation strategy is trivial: upgrade commons-fileupload or disable MultipartFormDataBuilder. Andreas On Thu, Jul 23, 2015 at 11:41 AM, Charlie Martin <charlie.mar...@uk.ibm.com> wrote: > Hi, > > The current (v1.6.3) and previous releases of Axis2 contain the apache > commons-fileupload-1.2.jar. > > This jar is flagged as being vulnerable to CVE-2013-0248 > > Could anyone confirm if either: > > This vulnerability is not applicable to the use of the jar in Axis2 > If an update is planned > > > Details of the vulnerability: > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0248 > > Many thanks, > Charlie Martin > > > WebSphere MQ Development > IBM Hursley Labs, Hursley Park, Winchester, Hants. SO21 2JN. UK. > Email: charlie.mar...@uk.ibm.com > Tel: +44 (0) 1962 815860, Internal: 37245860 > > > Unless stated otherwise above: > IBM United Kingdom Limited - Registered in England and Wales with number > 741598. > Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU > > Unless stated otherwise above: > IBM United Kingdom Limited - Registered in England and Wales with number > 741598. > Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU --------------------------------------------------------------------- To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org For additional commands, e-mail: java-user-h...@axis.apache.org
