Source: axis Version: 1.4-28 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for axis. CVE-2023-40743[0]: | ** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in | an application, it may not have been obvious that looking up a | service through "ServiceFactory.getService" allows potentially | dangerous lookup mechanisms such as LDAP. When passing untrusted | input to this API method, this could expose the application to DoS, | SSRF and even attacks leading to RCE. As Axis 1 has been EOL we | recommend you migrate to a different SOAP engine, such as Apache | Axis 2/Java. As a workaround, you may review your code to verify no | untrusted or unsanitized input is passed to | "ServiceFactory.getService", or by applying the patch from | https://github.com/apache/axis- | axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The | Apache Axis project does not expect to create an Axis 1.x release | fixing this problem, though contributors that would like to work | towards this are welcome. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-40743 https://www.cve.org/CVERecord?id=CVE-2023-40743 [1] https://www.openwall.com/lists/oss-security/2023/09/05/1 [2] https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
