| [SE-1424] Close Server Side Request Forgery (SSRF) vulnerability preventing man-in-the-middle attacks | |
|---|---|
| Product Line: | P&C |
| Component/s: | Other |
| Fix Version/s: | SICS 4.9.5 |
Aim of function
Closed the vulnerabilities listed below by upgrading to Apache Axis2 version 1.7.9.
Name
CVE-2019-0227
Description
A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
CWE
CWE-918
CVSS v2.0 Severity
MEDIUM
CVSS v3.0 Severity
HIGH
Dependency
axis-1.4.jar
axis-jaxrpc-1.4.jar
Name
CVE-2018-8032
Description
Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.
CWE
CWE-79
CVSS v2.0 Severity
MEDIUM
CVSS v3.0 Severity
MEDIUM
Dependency
axis-1.4.jar
Name
CVE-2014-3596
Description
The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784. CWE-297: Improper Validation of Certificate with Host Mismatch
CWE
NVD-CWE-Other
CVSS v2.0 Severity
MEDIUM
CVSS v3.0 Severity
Dependency
axis-1.4.jar
axis-jaxrpc-1.4.jar
Name
CVE-2012-5784
Description
Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CWE
CWE-20
CVSS v2.0 Severity
MEDIUM
CVSS v3.0 Severity
Dependency
axis-1.4.jar
axis-jaxrpc-1.4.jar
System Parameters Affected
None
Existing functionality affected
SICS API Server