--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package axis/1.4-28
- From: Markus Koschany <apo@debian.org>
- Date: Tue, 17 Oct 2023 14:38:49 +0200
- Message-id: <169754632944.43953.8900201301342817760.reportbug@faye>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: apo@debian.org
[ Reason ]
Fixing CVE-2023-40743: Axis allows potentially dangerous lookup
mechanisms which may lead to DoS, SSRF or even RCE.
[ Tests ]
The fix is trivial. If the name of the JNDI service contains a certain
string then do nothing. That filters out unsupported protocols
effectively.
[ Risks ]
Axis in Debian is mainly used to build other software packages and
serves no other purpose. It is very unlikely that it is used in third
party applications outside of Debian but better safe than sorry.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Regards,
Markus
diff -Nru axis-1.4/debian/changelog axis-1.4/debian/changelog
--- axis-1.4/debian/changelog 2018-12-03 08:25:51.000000000 +0100
+++ axis-1.4/debian/changelog 2023-10-17 14:05:20.000000000 +0200
@@ -1,3 +1,15 @@
+axis (1.4-28+deb11u1) bullseye; urgency=medium
+
+ * Team upload.
+ * Fix CVE-2023-40743:
+ When integrating Apache Axis 1.x in an application, it may not have been
+ obvious that looking up a service through "ServiceFactory.getService"
+ allows potentially dangerous lookup mechanisms such as LDAP. When passing
+ untrusted input to this API method, this could expose the application to
+ DoS, SSRF and even attacks leading to RCE. (Closes: #1051288)
+
+ -- Markus Koschany <apo@debian.org> Tue, 17 Oct 2023 14:05:20 +0200
+
axis (1.4-28) unstable; urgency=medium
* Fixed the build failure with Java 11 (Closes: #911187)
diff -Nru axis-1.4/debian/patches/CVE-2023-40743.patch axis-1.4/debian/patches/CVE-2023-40743.patch
--- axis-1.4/debian/patches/CVE-2023-40743.patch 1970-01-01 01:00:00.000000000 +0100
+++ axis-1.4/debian/patches/CVE-2023-40743.patch 2023-10-17 14:05:20.000000000 +0200
@@ -0,0 +1,32 @@
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 17 Oct 2023 00:46:49 +0200
+Subject: CVE-2023-40743
+
+Origin: https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
+---
+ src/org/apache/axis/client/ServiceFactory.java | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/org/apache/axis/client/ServiceFactory.java b/src/org/apache/axis/client/ServiceFactory.java
+index 33054a5..73e89ee 100644
+--- a/src/org/apache/axis/client/ServiceFactory.java
++++ b/src/org/apache/axis/client/ServiceFactory.java
+@@ -106,6 +106,10 @@ public class ServiceFactory extends javax.xml.rpc.ServiceFactory
+
+ if (context != null) {
+ String name = (String)environment.get("jndiName");
++
++ if(name!=null && (name.toUpperCase().indexOf("LDAP")!=-1 || name.toUpperCase().indexOf("RMI")!=-1 || name.toUpperCase().indexOf("JMS")!=-1 || name.toUpperCase().indexOf("JMX")!=-1) || name.toUpperCase().indexOf("JRMP")!=-1 || name.toUpperCase().indexOf("JAVA")!=-1 || name.toUpperCase().indexOf("DNS")!=-1) {
++ return null;
++ }
+ if (name == null) {
+ name = "axisServiceName";
+ }
+@@ -120,6 +124,7 @@ public class ServiceFactory extends javax.xml.rpc.ServiceFactory
+ context.bind(name, service);
+ } catch (NamingException e1) {
+ // !!! Couldn't do it, what should we do here?
++ return null;
+ }
+ }
+ } else {
diff -Nru axis-1.4/debian/patches/series axis-1.4/debian/patches/series
--- axis-1.4/debian/patches/series 2018-12-03 00:33:50.000000000 +0100
+++ axis-1.4/debian/patches/series 2023-10-17 14:05:20.000000000 +0200
@@ -8,3 +8,4 @@
java9-compatibility.patch
java11-compatibility.patch
CVE-2018-8032.patch
+CVE-2023-40743.patch
--- End Message ---