Bug 1698764 (CVE-2019-0227)

Summary: CVE-2019-0227 axis: Hard coded domain name in example web service named “StockQuoteService.jws” leading to remote code execution.
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agrimm, herrold, java-maint, pcheung, puntogil
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-18 05:29:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1701100    
Bug Blocks: 1698767    

Description Marian Rehak 2019-04-11 08:17:58 UTC 
An expired hard coded domain, used in a default example service named “StockQuoteService.jws”, could lead to remote code execution.

External References:

https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis/
Comment 2 Huzaifa S. Sidhpurwala 2019-04-18 05:14:42 UTC 
Analysis:

The server application using axis needs to be vulnerable to server side request forgery flaw (SSRF). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or a modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed. 

This flaw can be elevated via a MITM attacker to achieve code execution on the axis server with the permission of the user running the server application.
Comment 3 Huzaifa S. Sidhpurwala 2019-04-18 05:19:54 UTC 
Note: The researcher was able to exploit axis via the sample StockQuoteService.jws application shipped with vanilla versions of axis. This was vulnerable to SSRF attacks, and by reserving the domain "www.xmltoday.com" and putting a redirect there, RCE was achieved.
Comment 4 Huzaifa S. Sidhpurwala 2019-04-18 05:22:27 UTC 
Created axis2 tracking bugs for this issue:

Affects: fedora-all [bug 1701100]
Comment 5 Huzaifa S. Sidhpurwala 2019-04-18 05:29:37 UTC 
There is a proof-of-concept available at: https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2019-0227

Also apache fixed this by removing the sample vulnerable application from the default package via: https://github.com/apache/axis1-java/commit/7043f1ab0397d1ae35f879f2bcc99be1e9b55644