axis: CVE-2019-0227

Debian Bug report logs - #929266
axis: CVE-2019-0227

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sylvain Beucler <beuc@beuc.net>

To: submit@bugs.debian.org

Subject: axis: CVE-2019-0227

Date: Mon, 20 May 2019 12:20:31 +0200

Package: axis
X-Debbugs-CC: team@security.debian.org
Tags: security

Hi,

The following vulnerability was published for axis.

CVE-2019-0227[0]:
| A Server Side Request Forgery (SSRF) vulnerability affected the Apache
| Axis 1.4 distribution that was last released in 2006. Security and bug
| commits commits continue in the projects Axis 1.x Subversion
| repository, legacy users are encouraged to build from source. The
| successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not
| vulnerable to this issue.

The vulnerable 'StockQuoteService.jws' is not present in Debian binary
packages, however a SSRF mitigation was also committed [1].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-0227
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0227
[1] https://github.com/apache/axis1-java/commit/35511b872a6460129cfc0cd35baaccbd820977b5

Cheers!
Sylvain Beucler
Debian LTS Team

Message #12 received at 929266@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Sylvain Beucler <beuc@beuc.net>

Cc: 929266@bugs.debian.org

Subject: Re: axis: CVE-2019-0227

Date: Thu, 23 May 2019 23:42:51 +0200

[Message part 1 (text/plain, inline)]

Hi,

On Mon, 20 May 2019 12:20:31 +0200 Sylvain Beucler <beuc@beuc.net> wrote:
> Package: axis
> X-Debbugs-CC: team@security.debian.org
> Tags: security
> 
> Hi,
> 
> The following vulnerability was published for axis.
> 
> CVE-2019-0227[0]:
> | A Server Side Request Forgery (SSRF) vulnerability affected the Apache
> | Axis 1.4 distribution that was last released in 2006. Security and bug
> | commits commits continue in the projects Axis 1.x Subversion
> | repository, legacy users are encouraged to build from source. The
> | successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not
> | vulnerable to this issue.
> 
> The vulnerable 'StockQuoteService.jws' is not present in Debian binary
> packages, however a SSRF mitigation was also committed [1].

I believe the SSRF mitigation should be viewed in the context of the
vulnerable StockQuoteService.jws file. Since we don't ship this file in
our binary packages, I think it is correct to mark the issue as
unimportant. However I agree it is sensible to change
uconn.setInstanceFollowRedirects(true) to
uconn.setInstanceFollowRedirects(false).

I don't think it is likely that this issue is somehow exploited when
using our Debian package. We use axis mainly as a build-dependency for
other packages. We could change the default for
uconn.setInstanceFollowRedirects in Buster but keep it this way in
Jessie and Stretch.

It is nice to know that there is ongoing work on axis1. I think we could
update this package after the freeze and track the new upstream
development at

https://github.com/apache/axis1-java/

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #17 received at 929266@bugs.debian.org (full text, mbox, reply):

From: Sylvain Beucler <beuc@beuc.net>

To: Markus Koschany <apo@debian.org>

Cc: 929266@bugs.debian.org

Subject: Re: axis: CVE-2019-0227

Date: Fri, 24 May 2019 09:09:35 +0200

Hi!

On Thu, May 23, 2019 at 11:42:51PM +0200, Markus Koschany wrote:
> On Mon, 20 May 2019 12:20:31 +0200 Sylvain Beucler <beuc@beuc.net> wrote:
> > Package: axis
> > X-Debbugs-CC: team@security.debian.org
> > Tags: security
> > 
> > The following vulnerability was published for axis.
> > 
> > CVE-2019-0227[0]:
> > | A Server Side Request Forgery (SSRF) vulnerability affected the Apache
> > | Axis 1.4 distribution that was last released in 2006. Security and bug
> > | commits commits continue in the projects Axis 1.x Subversion
> > | repository, legacy users are encouraged to build from source. The
> > | successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not
> > | vulnerable to this issue.
> > 
> > The vulnerable 'StockQuoteService.jws' is not present in Debian binary
> > packages, however a SSRF mitigation was also committed [1].
> 
> I believe the SSRF mitigation should be viewed in the context of the
> vulnerable StockQuoteService.jws file.

AFAIU the vulnerable StockQuoteService.jws is fixed by its removal,
and similar XMLUtils-based services need the mitigation.
In either case the root SSRF issue is not fixed.


> Since we don't ship this file in
> our binary packages, I think it is correct to mark the issue as
> unimportant. However I agree it is sensible to change
> uconn.setInstanceFollowRedirects(true) to
> uconn.setInstanceFollowRedirects(false).
> 
> I don't think it is likely that this issue is somehow exploited when
> using our Debian package. We use axis mainly as a build-dependency for
> other packages. We could change the default for
> uconn.setInstanceFollowRedirects in Buster but keep it this way in
> Jessie and Stretch.

I trust your judgement on this.


> It is nice to know that there is ongoing work on axis1. I think we could
> update this package after the freeze and track the new upstream
> development at
> 
> https://github.com/apache/axis1-java/

The canonical repo is at
https://svn.apache.org/viewvc/axis/axis1/java/trunk/
(it would be good it Apache updated their SVN page..)

Cheers!
Sylvain

Send a report that this bug log contains spam.