Hash: SHA1

                         AUSCERT Security Bulletin

       A vulnerability has been identified in Apache Axis2 prior to
                          versions 1.5.2 and 1.6.
                               24 June 2010


        AusCERT Security Bulletin Summary

Product:              Apache Axis2 prior to 1.5.2 and 1.6
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Denial of Service      -- Remote/Unauthenticated
                      Access Privileged Data -- Remote/Unauthenticated
Resolution:           Mitigation
CVE Names:            CVE-2010-1632  
Member content until: Saturday, July 24 2010
Reference:            ESB-2010.0553


        A vulnerability has been identified in Apache Axis2 prior to versions
        1.5.2 and 1.6.


        The vendor has provided the following description for this 
        vulnerability, which has been assigned CVE-2010-1632:
        "The vulnerability described in this advisory may allow an attacker to 
        read arbitrary files on the file system of the node where Axis2 runs, 
        provided that the account running the Axis2 instance has access to 
        these files and that Java 2 security is not used to prevent file system 
        access. An attacker may also be able to retrieve unsecured resources 
        from the network if they are reachable from the Axis2 instance with 
        URLs that are recognized by the Java runtime. However, to do so, the 
        attacker needs to create a specially crafted request that requires 
        knowledge about the services deployed on the Axis2 instance. Therefore, 
        this vulnerability cannot be exploited in an automated way.
        The vulnerability may also allow the attacker to check the file system 
        of the server (resp. network resources reachable by the server) for 
        the existence of certain files (resp. resources), as well as to carry 
        out Denial of Service attacks. These attacks dont require knowledge 
        about the services deployed on Axis2 and may thus be exploited using 
        scripting." [1]


        The vendor recommends upgrading to the latest version of Axis2,
        however at the time of this publication, neither Axis2 1.5.2 nor 
        Axis2 1.6 has been released. In the interim, the vendor recommends 
        applying a fix which is available from:
        https://svn.apache.org/repos/asf/axis/axis2/java/core/security/secfix-cve-2010-1632 [1]


        [1] Apache Axis2 Security Advisory (CVE-2010-1632)

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967