由於是Server端的軟體,特別在此做個警訊:使用Apeche Axis的夥伴請儘速更新到1.5.2或1.6以後的版本。
Apache Axis2/Java XML Document Type Declaration Processing Vulnerability
Release Date 2010-06-21
Criticality level Moderately critical
Impact Exposure of system information、Exposure of sensitive information、DoS
Where From remote
Authentication level Available in Customer Area
Report reliability Available in Customer Area
Solution Status Vendor Workaround
Systems affected Available in Customer Area
Approve distribution Available in Customer Area
Software:
Apache Axis2/Java 1.x
CVE Reference(s) CVE-2010-1632 CVSS available in Customer Area
Description
A vulnerability has been reported in Apache Axis2/Java, which can be exploited by malicious people to disclose system information or potentially sensitive information and cause a DoS (Denial of Service).
The vulnerability is caused due to Axis2 not properly restricting the processing of XML Document Type Declarations (DTD). This can be exploited to e.g. determine the existence or include contents of local and potentially external files by including them as a DTD reference or cause a DoS due to CPU or memory consumption by providing e.g. a heavily nested DTD.
The vulnerability is reported in version 1.4.1 and 1.5.1. Prior versions may also be affected.
Solution
Apply patch and update to version 1.5.2 or 1.6 as soon as available. See vendor's advisory for additional details.
Original Advisory
https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf
https://issues.apache.org/jira/browse/AXIS2-4450
沒有留言:
張貼留言