CVE-2019-0227: Apache Axis Remote Code Execution Alert
The default service included with Axis, StockQuoteService.jws contains a hard-coded HTTP URL that can be used to trigger HTTP requests. An attacker can use “an expired hardcoded domain that was used in a default example service as part of the default install” or spoofs a server through ARP to perform a MITM attack, redirect the HTTP request to a malicious web server, and execute the code remotely on the Apache Axis server (CVE-2019-0227).
A proof of concept to demonstrate the man-in-the-middle method of exploiting this vulnerability can be found at our github.
Affected version
- Apache Axis Version = 1.4
Unaffected version
- All versions of Apache Axis2 (currently there is no outreach of Axis2’s services).
Solution
- If you are using Axis, you can delete the StockQuoteService.jws file in the Axis root directory.
- Ensure that any libraries or services you are running in Axis or Axis2 do not perform HTTP requests or allow users to initiate an HTTP request. Instead, use HTTPS and verify SSL certificates.
