Vulnerabilities > CVE-2019-0227 - Server-Side Request Forgery (SSRF) vulnerability in multiple products
Attack vector
ADJACENT_NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| id | EDB-ID:46682 |
| last seen | 2019-04-09 |
| modified | 2019-04-09 |
| published | 2019-04-09 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/46682 |
| title | Apache Axis 1.4 - Remote Code Execution |
Nessus
NASL family Misc. NASL id ORACLE_TUXEDO_CPU_JAN_2020.NASL description The version of Oracle Tuxedo installed on the remote host is missing a security patch. It is, therefore, affected by a remote code execution vulnerability due to a Server Side Request Forgery (SSRF) vulnerability found in the Apache Axis 1.4 distribution used in the TX SALT component. (CVE-2019-0227) last seen 2020-06-01 modified 2020-06-02 plugin id 133041 published 2020-01-17 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133041 title Oracle Tuxedo Remote Code Execution Vulnerability (Jan 2020 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(133041); script_version("1.2"); script_cvs_date("Date: 2020/01/20"); script_cve_id("CVE-2019-0227"); script_bugtraq_id(107867); script_name(english:"Oracle Tuxedo Remote Code Execution Vulnerability (Jan 2020 CPU)"); script_summary(english:"Checks for the patch."); script_set_attribute(attribute:"synopsis", value: "An application server installed on the remote host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of Oracle Tuxedo installed on the remote host is missing a security patch. It is, therefore, affected by a remote code execution vulnerability due to a Server Side Request Forgery (SSRF) vulnerability found in the Apache Axis 1.4 distribution used in the TX SALT component. (CVE-2019-0227)"); # https://www.oracle.com/security-alerts/cpujan2020.html#AppendixFMW script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?383db271"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the January 2020 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0227"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/15"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/17"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:tuxedo"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_tuxedo_installed.nbin"); script_require_keys("installed_sw/Oracle Tuxedo"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('oracle_rdbms_cpu_func.inc'); include('misc_func.inc'); include('install_func.inc'); app_name = 'Oracle Tuxedo'; install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE); version = install['version']; rp = install['RP']; path = install['path']; rp_fix = 0; if (version =~ "^12\.1\.1\.0($|\.|_)") rp_fix = 100; else if (version =~ "^12\.1\.3\.0($|\.|_)") rp_fix = 108; else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version + " RP " + rp, path); if (rp == UNKNOWN_VER || rp < rp_fix) { items = make_array('Path', path, 'Version', version, 'RP', rp, 'Required RP', rp_fix ); order = make_list('Path', 'Version', 'RP', 'Required RP'); report = report_items_str(report_items:items, ordered_fields:order); security_report_v4(port:0, extra:report, severity:SECURITY_WARNING); } else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version + ' RP ' + rp, path);NASL family Misc. NASL id ORACLE_SECURE_GLOBAL_DESKTOP_JAN_2020_CPU.NASL description The version of Oracle Secure Global Desktop installed on the remote host is missing a security patch from the January 2020 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities: - A remote code execution vulnerability exists in the Core (Apache Axis) component. An unauthenticated, adjacent attacker can exploit this issue, to execute arbitrary commands. (CVE-2019-0227) - A cross-site scripting vulnerability exists in the Web Server (Appache HTTPD Server) component. An unauthenticated, remote attacker can exploit this issue via causing the link on the mod_proxy error page to be malformed and point to a page of the attacker last seen 2020-06-01 modified 2020-06-02 plugin id 133042 published 2020-01-17 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133042 title Oracle Secure Global Desktop Multiple Vulnerabilities (January 2020 CPU) NASL family CGI abuses NASL id ORACLE_PRIMAVERA_UNIFIER_CPU_JAN_2020.NASL description According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.1.x or 16.2.x prior to 16.2.16.0, or 17.7.x through 17.12.x prior to 17.12.11.2, or 18.8.x prior to 18.8.15, or 19.12.x prior to 19.12.0.1. It is, therefore, affected by multiple vulnerabilities: - A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10 used in Primavera Unifier. (CVE-2019-14540) - A memory exhaustion flaw exists in Apache Tika last seen 2020-05-08 modified 2020-01-30 plugin id 133359 published 2020-01-30 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133359 title Oracle Primavera Unifier Multiple Vulnerabilities (Jan 2020 CPU) NASL family Misc. NASL id ORACLE_OATS_CPU_APR_2020.NASL description The version of Oracle Application Testing Suite installed on the remote host is affected by a Server Side Request Forgery (SSRF) vulnerability in the Oracle FLEXCUBE Private Banking product of Oracle Financial Services Applications (component: Core (Apache Axis)). The supported versions which are affected are 12.0 and 12.1. This is a difficult to exploit vulnerability which allows an unauthenticated, adjacent attacker with access to the physical segment attached to the hardware where Oracle FLEXCUBE Private Banking executes to compromise Oracle FLEXCUBE Private Banking in order to take it over. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-05-08 modified 2020-04-16 plugin id 135681 published 2020-04-16 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135681 title Oracle Application Testing Suite (Apr 2020 CPU) NASL family CGI abuses NASL id ORACLE_PRIMAVERA_GATEWAY_CPU_JAN_2020.NASL description According to its self-reported version number, the Oracle Primavera Gateway installation running on the remote web server is 15.x prior to 15.2.18, 16.x prior to 16.2.11, 17.x prior to 17.12.6, or 18.x prior to 18.8.8.1. It is, therefore, affected by multiple vulnerabilities, including the following: - Two Polymorphic Typing issues present in FasterXML jackson-databind related to com.zaxxer.hikari.HikariDataSource which can be exploited by remote, unauthenticated attackers. (CVE-2019-16335, CVE-2019-14540) - A man-in-the-middle vulnerability caused by the getCN function in Apache Axis not properly verifying that the server hostname matches a domain name in the subject last seen 2020-05-08 modified 2020-01-15 plugin id 132936 published 2020-01-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132936 title Oracle Primavera Gateway Multiple Vulnerabilities (Jan 2020 CPU)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/152462/apacheaxis14-exec.txt |
| id | PACKETSTORM:152462 |
| last seen | 2019-04-11 |
| published | 2019-04-10 |
| reporter | David Yesland |
| source | https://packetstormsecurity.com/files/152462/Apache-Axis-1.4-Remote-Code-Execution.html |
| title | Apache Axis 1.4 Remote Code Execution |
References
- https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis/
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r3a5baf5d76f1f2181be7f54da3deab70d7a38b5660b387583d05a8cd%40%3Cjava-user.axis.apache.org%3E