Vulnerabilities > CVE-2019-0227 - Server-Side Request Forgery (SSRF) vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
ADJACENT_NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
high complexity
apache
oracle
CWE-918
nessus
exploit available

Summary

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.

Vulnerable Configurations

Part Description Count
Application
Apache
1
Application
Oracle
161

Common Weakness Enumeration (CWE)

Exploit-Db

idEDB-ID:46682
last seen2019-04-09
modified2019-04-09
published2019-04-09
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/46682
titleApache Axis 1.4 - Remote Code Execution

Nessus

  • NASL familyMisc.
    NASL idORACLE_TUXEDO_CPU_JAN_2020.NASL
    descriptionThe version of Oracle Tuxedo installed on the remote host is missing a security patch. It is, therefore, affected by a remote code execution vulnerability due to a Server Side Request Forgery (SSRF) vulnerability found in the Apache Axis 1.4 distribution used in the TX SALT component. (CVE-2019-0227)
    last seen2020-06-01
    modified2020-06-02
    plugin id133041
    published2020-01-17
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133041
    titleOracle Tuxedo Remote Code Execution Vulnerability (Jan 2020 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133041);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/20");
    
      script_cve_id("CVE-2019-0227");
      script_bugtraq_id(107867);
    
      script_name(english:"Oracle Tuxedo Remote Code Execution Vulnerability (Jan 2020 CPU)");
      script_summary(english:"Checks for the patch.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application server installed on the remote host is affected by
    a remote code execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle Tuxedo installed on the remote host is missing
    a security patch. It is, therefore, affected by a remote code execution
    vulnerability due to a Server Side Request Forgery (SSRF) vulnerability
    found in the Apache Axis 1.4 distribution used in the TX SALT component.
    (CVE-2019-0227)");
      # https://www.oracle.com/security-alerts/cpujan2020.html#AppendixFMW
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?383db271");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the January 2020 Oracle
    Critical Patch Update advisory.");
      script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0227");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/17");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:tuxedo");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_tuxedo_installed.nbin");
      script_require_keys("installed_sw/Oracle Tuxedo");
    
      exit(0);
    }
    
    include('audit.inc');
    include('global_settings.inc');
    include('oracle_rdbms_cpu_func.inc');
    include('misc_func.inc');
    include('install_func.inc');
    
    app_name = 'Oracle Tuxedo';
    install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
    version = install['version'];
    rp = install['RP'];
    path = install['path'];
    
    rp_fix = 0;
    
    if (version =~ "^12\.1\.1\.0($|\.|_)")
      rp_fix = 100;
    else if (version =~ "^12\.1\.3\.0($|\.|_)")
      rp_fix = 108;
    else
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, version + " RP " + rp, path);
    
    if (rp == UNKNOWN_VER || rp < rp_fix)
    {
      items = make_array('Path', path,
                         'Version', version,
                         'RP', rp,
                         'Required RP', rp_fix
                        );
      order = make_list('Path', 'Version', 'RP', 'Required RP');
      report = report_items_str(report_items:items, ordered_fields:order);
      security_report_v4(port:0, extra:report, severity:SECURITY_WARNING);
    }
    else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version + ' RP ' + rp, path);
    
  • NASL familyMisc.
    NASL idORACLE_SECURE_GLOBAL_DESKTOP_JAN_2020_CPU.NASL
    descriptionThe version of Oracle Secure Global Desktop installed on the remote host is missing a security patch from the January 2020 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities: - A remote code execution vulnerability exists in the Core (Apache Axis) component. An unauthenticated, adjacent attacker can exploit this issue, to execute arbitrary commands. (CVE-2019-0227) - A cross-site scripting vulnerability exists in the Web Server (Appache HTTPD Server) component. An unauthenticated, remote attacker can exploit this issue via causing the link on the mod_proxy error page to be malformed and point to a page of the attacker
    last seen2020-06-01
    modified2020-06-02
    plugin id133042
    published2020-01-17
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133042
    titleOracle Secure Global Desktop Multiple Vulnerabilities (January 2020 CPU)
  • NASL familyCGI abuses
    NASL idORACLE_PRIMAVERA_UNIFIER_CPU_JAN_2020.NASL
    descriptionAccording to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.1.x or 16.2.x prior to 16.2.16.0, or 17.7.x through 17.12.x prior to 17.12.11.2, or 18.8.x prior to 18.8.15, or 19.12.x prior to 19.12.0.1. It is, therefore, affected by multiple vulnerabilities: - A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10 used in Primavera Unifier. (CVE-2019-14540) - A memory exhaustion flaw exists in Apache Tika
    last seen2020-05-08
    modified2020-01-30
    plugin id133359
    published2020-01-30
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133359
    titleOracle Primavera Unifier Multiple Vulnerabilities (Jan 2020 CPU)
  • NASL familyMisc.
    NASL idORACLE_OATS_CPU_APR_2020.NASL
    descriptionThe version of Oracle Application Testing Suite installed on the remote host is affected by a Server Side Request Forgery (SSRF) vulnerability in the Oracle FLEXCUBE Private Banking product of Oracle Financial Services Applications (component: Core (Apache Axis)). The supported versions which are affected are 12.0 and 12.1. This is a difficult to exploit vulnerability which allows an unauthenticated, adjacent attacker with access to the physical segment attached to the hardware where Oracle FLEXCUBE Private Banking executes to compromise Oracle FLEXCUBE Private Banking in order to take it over. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-05-08
    modified2020-04-16
    plugin id135681
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135681
    titleOracle Application Testing Suite (Apr 2020 CPU)
  • NASL familyCGI abuses
    NASL idORACLE_PRIMAVERA_GATEWAY_CPU_JAN_2020.NASL
    descriptionAccording to its self-reported version number, the Oracle Primavera Gateway installation running on the remote web server is 15.x prior to 15.2.18, 16.x prior to 16.2.11, 17.x prior to 17.12.6, or 18.x prior to 18.8.8.1. It is, therefore, affected by multiple vulnerabilities, including the following: - Two Polymorphic Typing issues present in FasterXML jackson-databind related to com.zaxxer.hikari.HikariDataSource which can be exploited by remote, unauthenticated attackers. (CVE-2019-16335, CVE-2019-14540) - A man-in-the-middle vulnerability caused by the getCN function in Apache Axis not properly verifying that the server hostname matches a domain name in the subject
    last seen2020-05-08
    modified2020-01-15
    plugin id132936
    published2020-01-15
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132936
    titleOracle Primavera Gateway Multiple Vulnerabilities (Jan 2020 CPU)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/152462/apacheaxis14-exec.txt
idPACKETSTORM:152462
last seen2019-04-11
published2019-04-10
reporterDavid Yesland
sourcehttps://packetstormsecurity.com/files/152462/Apache-Axis-1.4-Remote-Code-Execution.html
titleApache Axis 1.4 Remote Code Execution

References