Apache Axis 1.x (EOL) may allow RCE when untrusted input is passed to getService
CVE-2023-40743

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Axis
Vendor: CVE Published:; 5 September 2023

Summary

The Apache Axis 1.x framework is susceptible to an input validation vulnerability when utilizing the 'ServiceFactory.getService' method. This method can process untrusted data, allowing for potentially harmful lookup mechanisms, including LDAP. Insecure input handling may lead to Denial of Service (DoS), Server-Side Request Forgery (SSRF), or even Remote Code Execution (RCE) attacks. The software's end-of-life status emphasizes the need for migration to an upgraded SOAP engine like Apache Axis 2/Java. It is crucial for developers to audit their applications to ensure that no unsanitized or untrusted input is passed to the 'ServiceFactory.getService' method. Patch details and further guidance can be found at the GitHub repository.

Affected Version(s)

Apache Axis 0 <= 1.3

References

https://github.com/apache/axis-axis1-java/commit/7e667534...

patch

https://lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm...

vendor-advisory

https://lists.debian.org/debian-lts-announce/2023/10/msg0...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 5, 2023
Vulnerability Reserved
Aug 21, 2023

Credit

Letian Yuan