svn commit: r958350 - in /axis/axis2/java/core/security: CVE-2010-1632.pdf advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml

Sun, 27 Jun 2010 01:40:38 -0700 

Author: veithen
Date: Sun Jun 27 08:39:37 2010
New Revision: 958350

URL: http://svn.apache.org/viewvc?rev=958350&view=rev
Log:
CVE-2010-1632: Updated the advisory with current information about vulnerable 
products and third party references.

Modified:
    axis/axis2/java/core/security/CVE-2010-1632.pdf
    
axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml

Modified: axis/axis2/java/core/security/CVE-2010-1632.pdf
URL: 
http://svn.apache.org/viewvc/axis/axis2/java/core/security/CVE-2010-1632.pdf?rev=958350&r1=958349&r2=958350&view=diff
==============================================================================
Binary files - no diff available.

Modified: 
axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
URL: 
http://svn.apache.org/viewvc/axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml?rev=958350&r1=958349&r2=958350&view=diff
==============================================================================
--- 
axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
 (original)
+++ 
axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
 Sun Jun 27 08:39:37 2010
@@ -27,7 +27,7 @@
             <surname>Veithen</surname>
             <email>veit...@apache.org</email>
         </author>
-        <releaseinfo>First version: May 16, 2010 • First published: June 13, 
2010 • Last updated: June 13, 2010</releaseinfo>
+        <releaseinfo>First version: May 16, 2010 • First published: June 13, 
2010 • Last updated: June 27, 2010</releaseinfo>
     </articleinfo>
     <section>
         <title>Description</title>
@@ -134,17 +134,51 @@
         <section>
             <title>Other products</title>
             <para>
-                Axis2 is used in (or as the basis for) other products. This 
includes the Synapse,
-                ODE, Tuscany and Geronimo projects from the ASF, as well as 
several commercial
-                products. It is likely that these products are vulnerable as 
well.
+                Axis2 is used in (or as the basis for) other Open Source 
projects and
+                commercial products. It is likely that these products are 
vulnerable as well.
+                At the time of writing, the following information is available:
             </para>
+            <itemizedlist>
+                <listitem>
+                    <para>
+                        Axis2 is used by the Synapse, ODE, Tuscany and 
Geronimo projects
+                        from the ASF and it is expected that all these 
projects are
+                        vulnerable.
+                    </para>
+                </listitem>
+                <listitem>
+                    <para>
+                        Axis2 is used as the JAX-WS implementation in 
WebSphere Application
+                        Server 7.0 and in the Feature Pack for Web Services 
for WAS 6.1.
+                        Both are vulnerable. See
+                        <ulink 
url="http://www-01.ibm.com/support/docview.wss?uid=swg21433581"/>
+                        for details about the affected versions.
+                    </para>
+                </listitem>
+            </itemizedlist>
             <para>
                 It is possible that Web service frameworks other than Axis2 
are affected by
-                similar vulnerabilities.
+                similar vulnerabilities. At the time of writing, the following 
information
+                is available:
             </para>
+            <itemizedlist>
+                <listitem>
+                    <para>
+                        Axis 1.4 is not vulnerable and immediately rejects any 
request
+                        containing a DOCTYPE declaration.
+                    </para>
+                </listitem>
+                <listitem>
+                    <para>
+                        A similar vulnerability exists in Apache CXF. Please 
refer to
+                        CVE-2010-2076 for more details.
+                    </para>
+                </listitem>
+            </itemizedlist>
             <para>
-                The exploits described in <xref linkend="exploits"/> may be 
used to check
-                whether a given product is vulnerable.
+                For projects and products not listed above or for which no 
information
+                is available, the exploits described in <xref 
linkend="exploits"/> may be
+                used to check for vulnerability.
             </para>
         </section>
     </section>
@@ -466,6 +500,31 @@ expected a '&lt;' to start a directive
             initially described in JIRA report
             AXIS2-4450<footnote><para><ulink 
url="https://issues.apache.org/jira/browse/AXIS2-4450"/></para></footnote>.
         </para>
+        <para>
+            The issue is tracked by third parties with the following 
references:
+        </para>
+        <itemizedlist>
+            <listitem>
+                <para>
+                    <ulink 
url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1632";>CVE-2010-1632</ulink>
+                </para>
+            </listitem>
+            <listitem>
+                <para>
+                    <ulink url="http://secunia.com/advisories/40252";>Secunia 
Advisory SA40252</ulink>
+                </para>
+            </listitem>
+            <listitem>
+                <para>
+                    <ulink 
url="http://www.vupen.com/english/advisories/2010/1528";>VUPEN/ADV-2010-1528</ulink>
+                </para>
+            </listitem>
+            <listitem>
+                <para>
+                    <ulink 
url="https://bugzilla.redhat.com/show_bug.cgi?id=607118";>Red Hat Bugzilla – 
Bug 607118</ulink>
+                </para>
+            </listitem>
+        </itemizedlist>
     </section>
     <section>
         <title>Contact</title>

Reply via email to