CVE-2019-0227: SSRF
First published: Wed May 01 2019(Updated: )
A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Axis | =1.4 | |
| Oracle Agile Engineering Data Management | =6.2.1.0 | |
| Oracle Agile Product Lifecycle Management Framework | =9.3.3 | |
| Oracle Application Testing Suite | =13.2.0.1 | |
| Oracle Application Testing Suite | =13.3.0.1 | |
| Oracle Big Data Discovery | =1.6 | |
| Oracle Communications Asap Cartridges | =7.2 | |
| Oracle Communications Asap Cartridges | =7.3 | |
| Oracle Communications Design Studio | =7.3.4.3.0 | |
| Oracle Communications Design Studio | =7.3.5.5.0 | |
| Oracle Communications Design Studio | =7.4.0.4.0 | |
| Oracle Communications Design Studio | =7.4.1.1.0 | |
| Oracle Communications Element Manager | =8.0.0 | |
| Oracle Communications Element Manager | =8.1.0 | |
| Oracle Communications Element Manager | =8.1.1 | |
| Oracle Communications Element Manager | =8.2.0 | |
| Oracle Communications Network Integrity | =7.3.5 | |
| Oracle Communications Network Integrity | =7.3.6 | |
| Oracle Communications Order and Service Management | =7.3.0.0.0 | |
| Oracle Communications Order and Service Management | =7.4 | |
| Oracle Communications Session Report Manager | =8.0.0 | |
| Oracle Communications Session Report Manager | =8.1.0 | |
| Oracle Communications Session Report Manager | =8.1.1 | |
| Oracle Communications Session Report Manager | =8.2.0 | |
| Oracle Communications Session Route Manager | =8.0.0 | |
| Oracle Communications Session Route Manager | =8.1.0 | |
| Oracle Communications Session Route Manager | =8.1.1 | |
| Oracle Communications Session Route Manager | =8.2.0 | |
| Oracle Endeca Information Discovery Studio | =3.2.0 | |
| Oracle Enterprise Manager Base Platform | =12.1.0.5 | |
| Oracle Enterprise Manager Base Platform | =13.3.0.0 | |
| Oracle Enterprise Manager For Fusion Middleware | =12.1.0.5 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=7.3.3<=7.3.5 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.0.0<=8.0.8 | |
| Oracle Financial Services Compliance Regulatory Reporting | >=8.0.6<=8.0.8 | |
| Oracle Financial Services Funds Transfer Pricing | >=8.0.2<=8.0.7 | |
| Oracle FLEXCUBE Core Banking | =11.7.0 | |
| Oracle FLEXCUBE Core Banking | =11.8.0 | |
| Oracle FLEXCUBE Core Banking | =11.9.0 | |
| Oracle FLEXCUBE Core Banking | =11.10.0 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Oracle Hospitality Guest Access | =4.2.0 | |
| Oracle Hospitality Guest Access | =4.2.1 | |
| Oracle Instantis Enterprisetrack | =17.1 | |
| Oracle Instantis Enterprisetrack | =17.2 | |
| Oracle Instantis Enterprisetrack | =17.3 | |
| Oracle Internet Directory | =12.2.1.3.0 | |
| Oracle Internet Directory | =12.2.1.4.0 | |
| Oracle Knowledge | >=8.6.0<=8.6.3 | |
| Oracle Peoplesoft Enterprise Human Capital Management Human Resources | =7.3.5 | |
| Oracle Peoplesoft Enterprise Human Capital Management Human Resources | =7.3.6 | |
| Oracle Peoplesoft Enterprise Human Capital Management Human Resources | =9.2 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.56 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle Policy Automation Connector For Siebel | =10.4.6 | |
| Oracle Primavera Gateway | =16.2.11 | |
| Oracle Primavera Gateway | =17.12.6 | |
| Oracle Primavera Unifier | >=17.7<=17.12 | |
| Oracle Primavera Unifier | =16.1 | |
| Oracle Primavera Unifier | =16.2 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Rapid Planning | =12.1 | |
| Oracle Rapid Planning | =12.2 | |
| Oracle Real-time Decision Server | =3.2.1.0 | |
| Oracle Retail Order Broker | =15.0 | |
| Oracle Retail Order Broker | =16.0 | |
| Oracle Retail Order Broker | =18.0 | |
| Oracle Retail Xstore Point of Service | =7.1 | |
| Oracle Secure Global Desktop | =5.4 | |
| Oracle Secure Global Desktop | =5.5 | |
| Oracle Siebel Ui Framework | <=21.0 | |
| Oracle Tuxedo | =12.1.1.0.0 | |
| Oracle Tuxedo | =12.1.3 | |
| Oracle WebCenter Portal | =12.2.1.3.0 | |
| maven/axis:axis | <=1.4 | |
| maven/org.apache.axis:axis | <=1.4 | |
| IBM Security Directory Suite VA | <=8.0.1-8.0.1.19 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread.html/r3a5baf5d76f1f2181be7f54da3deab70d7a38b5660b387583d05a8cd@%3Cjava-user.axis.apache.org%3E
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
- https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r3a5baf5d76f1f2181be7f54da3deab70d7a38b5660b387583d05a8cd%40%3Cjava-user.axis.apache.org%3E
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://nvd.nist.gov/vuln/detail/CVE-2019-0227
- https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis
- https://security.netapp.com/advisory/ntap-20240621-0006
- https://github.com/advisories/GHSA-h9gj-rqrw-x4fq (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/159283
- https://www.ibm.com/support/pages/node/7001693 (Advisory)
- agent/type
- agent/remedy
- agent/description
- agent/severity
- agent/author
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-h9gj-rqrw-x4fq
- alias/CVE-2019-0227
- agent/references
- agent/last-modified-date
- agent/tags
- agent/event
- agent/softwarecombine
- collector/nvd-cve
- collector/github-advisory
- collector/ibm-support
- source/IBM
- vendor/apache
- canonical/apache axis
- version/apache axis/1.4
- vendor/oracle
- canonical/oracle agile engineering data management
- version/oracle agile engineering data management/6.2.1.0
- canonical/oracle agile product lifecycle management framework
- version/oracle agile product lifecycle management framework/9.3.3
- canonical/oracle application testing suite
- version/oracle application testing suite/13.2.0.1
- version/oracle application testing suite/13.3.0.1
- canonical/oracle big data discovery
- version/oracle big data discovery/1.6
- canonical/oracle communications asap cartridges
- version/oracle communications asap cartridges/7.2
- version/oracle communications asap cartridges/7.3
- canonical/oracle communications design studio
- version/oracle communications design studio/7.3.4.3.0
- version/oracle communications design studio/7.3.5.5.0
- version/oracle communications design studio/7.4.0.4.0
- version/oracle communications design studio/7.4.1.1.0
- canonical/oracle communications element manager
- version/oracle communications element manager/8.0.0
- version/oracle communications element manager/8.1.0
- version/oracle communications element manager/8.1.1
- version/oracle communications element manager/8.2.0
- canonical/oracle communications network integrity
- version/oracle communications network integrity/7.3.5
- version/oracle communications network integrity/7.3.6
- canonical/oracle communications order and service management
- version/oracle communications order and service management/7.3.0.0.0
- version/oracle communications order and service management/7.4
- canonical/oracle communications session report manager
- version/oracle communications session report manager/8.0.0
- version/oracle communications session report manager/8.1.0
- version/oracle communications session report manager/8.1.1
- version/oracle communications session report manager/8.2.0
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.0.0
- version/oracle communications session route manager/8.1.0
- version/oracle communications session route manager/8.1.1
- version/oracle communications session route manager/8.2.0
- canonical/oracle endeca information discovery studio
- version/oracle endeca information discovery studio/3.2.0
- canonical/oracle enterprise manager base platform
- version/oracle enterprise manager base platform/12.1.0.5
- version/oracle enterprise manager base platform/13.3.0.0
- canonical/oracle enterprise manager for fusion middleware
- version/oracle enterprise manager for fusion middleware/12.1.0.5
- canonical/oracle financial services analytical applications infrastructure
- version/oracle financial services analytical applications infrastructure/7.3.3
- version/oracle financial services analytical applications infrastructure/7.3.5
- version/oracle financial services analytical applications infrastructure/8.0.0
- version/oracle financial services analytical applications infrastructure/8.0.8
- canonical/oracle financial services compliance regulatory reporting
- version/oracle financial services compliance regulatory reporting/8.0.6
- version/oracle financial services compliance regulatory reporting/8.0.8
- canonical/oracle financial services funds transfer pricing
- version/oracle financial services funds transfer pricing/8.0.2
- version/oracle financial services funds transfer pricing/8.0.7
- canonical/oracle flexcube core banking
- version/oracle flexcube core banking/11.7.0
- version/oracle flexcube core banking/11.8.0
- version/oracle flexcube core banking/11.9.0
- version/oracle flexcube core banking/11.10.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- canonical/oracle hospitality guest access
- version/oracle hospitality guest access/4.2.0
- version/oracle hospitality guest access/4.2.1
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.2
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle internet directory
- version/oracle internet directory/12.2.1.3.0
- version/oracle internet directory/12.2.1.4.0
- canonical/oracle knowledge
- version/oracle knowledge/8.6.0
- version/oracle knowledge/8.6.3
- canonical/oracle peoplesoft enterprise human capital management human resources
- version/oracle peoplesoft enterprise human capital management human resources/7.3.5
- version/oracle peoplesoft enterprise human capital management human resources/7.3.6
- version/oracle peoplesoft enterprise human capital management human resources/9.2
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.56
- version/oracle peoplesoft enterprise peopletools/8.57
- version/oracle peoplesoft enterprise peopletools/8.58
- canonical/oracle policy automation connector for siebel
- version/oracle policy automation connector for siebel/10.4.6
- canonical/oracle primavera gateway
- version/oracle primavera gateway/16.2.11
- version/oracle primavera gateway/17.12.6
- canonical/oracle primavera unifier
- version/oracle primavera unifier/17.7
- version/oracle primavera unifier/17.12
- version/oracle primavera unifier/16.1
- version/oracle primavera unifier/16.2
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- canonical/oracle rapid planning
- version/oracle rapid planning/12.1
- version/oracle rapid planning/12.2
- canonical/oracle real-time decision server
- version/oracle real-time decision server/3.2.1.0
- canonical/oracle retail order broker
- version/oracle retail order broker/15.0
- version/oracle retail order broker/16.0
- version/oracle retail order broker/18.0
- canonical/oracle retail xstore point of service
- version/oracle retail xstore point of service/7.1
- canonical/oracle secure global desktop
- version/oracle secure global desktop/5.4
- version/oracle secure global desktop/5.5
- canonical/oracle siebel ui framework
- version/oracle siebel ui framework/21.0
- canonical/oracle tuxedo
- version/oracle tuxedo/12.1.1.0.0
- version/oracle tuxedo/12.1.3
- canonical/oracle webcenter portal
- version/oracle webcenter portal/12.2.1.3.0
- package-manager/maven
- vendor/ibm
- canonical/ibm security directory suite va
- version/ibm security directory suite va/8.0.1-8.0.1.19