SE-3307 - Close Server Side Request Forgery (SSRF) vulnerability preventing man-in-the-middle attacks for eMessaging Server

1 minute read

Background

In SE-3307, SICS eMessaging Server was upgraded from using Apache Axis 1.4 SOAP stack to its successor: Apache Axis2 Web services engine due to security vulnerabilities in the Apache Axis 1.4 SOAP stack and also as a technology upgrade to achieve significantly greater speed than earlier versions of Apache Axis.

Axis 1 generated client stubs are deprecated, and new client stubs were generated based on Axis2 XML bean data bindings.

Configuring jars for Webconnectivity Integration is no longer required, as Axis2 jars configured in classpath.

Migrating from Axis 1 to Axis 2 clients for SICS eMessaging Server

Some generated client stub classes have changed names. e.g., GENERALPARTY_Type is now changed to GENERALPARTYType.

To add or receive an attachment to the request and response, Axis 1 was using its own class AttachmentPart, which is no longer available. Instead attachments are added to the MessageContext in Axis 2, see: SOAP with Attachments (SwA) with Axis2.

There are new wrapper classes generated as part of Axis2 XML bean data bindings for both request and response. e.g., CallRqDocument which is wrapped around CallRqType and CallRsDocument which is wrapped around CallRsType.

Axis 1

AcordMsgSvcCallBindingStub callStub = (AcordMsgSvcCallBindingStub) new MyAcordMsgServiceLocator().getAcordMsgSvcCall(http://localhost:8080/acord.soap/servlet/AxisServlet”);
AttachmentPart attachedPayload = new AttachmentPart(new DataHandler(stringPayload, text/xml; charset=utf-8"));
callStub.addAttachment(attachedPayload);
CallRqType request = new CallRqType();

CallRsType response = callStub.call(request);

Axis 2

AcordMsgSvcCallStub callStub = new AcordMsgSvcCallStub(http://localhost:8080/acord.soap/servlet/AxisServlet”);
org.apache.axis2.context.MessageContext messageContext = new org.apache.axis2.context.MessageContext();
messageContext.addAttachment(new DataHandler(stringPayload, "text/xml; charset=utf-8"));   
CallRqType request = CallRqType.Factory.newInstance();

CallRqDocument requestDocument = CallRqDocument.Factory.newInstance();
requestDocument.setCallRq(request);
CallRsDocument responseDocument = callStub.call(requestDocument);
CallRsType response = responseDocument.getCallRs();