CVE-2019-0227: SSRF
First published: Wed May 01 2019(Updated: )
A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/axis:axis | <=1.4 | |
| maven/org.apache.axis:axis | <=1.4 | |
| IBM Security Directory Suite | <=8.0.1-8.0.1.19 | |
| Apache Axis | =1.4 | |
| Oracle Agile Engineering Data Management | =6.2.1.0 | |
| Oracle Agile Product Lifecycle Management | =9.3.3 | |
| Oracle Application Testing Suite | =13.2.0.1 | |
| Oracle Application Testing Suite | =13.3.0.1 | |
| Oracle Big Data Discovery | =1.6 | |
| Oracle Communications ASAP | =7.2 | |
| Oracle Communications ASAP | =7.3 | |
| Oracle Communications Design Studio | =7.3.4.3.0 | |
| Oracle Communications Design Studio | =7.3.5.5.0 | |
| Oracle Communications Design Studio | =7.4.0.4.0 | |
| Oracle Communications Design Studio | =7.4.1.1.0 | |
| Oracle Communications Element Manager | =8.0.0 | |
| Oracle Communications Element Manager | =8.1.0 | |
| Oracle Communications Element Manager | =8.1.1 | |
| Oracle Communications Element Manager | =8.2.0 | |
| Oracle Communications Network Integrity | =7.3.5 | |
| Oracle Communications Network Integrity | =7.3.6 | |
| Oracle Communications Order and Service Management | =7.3.0.0.0 | |
| Oracle Communications Order and Service Management | =7.4 | |
| Oracle Communications Session Report Manager | =8.0.0 | |
| Oracle Communications Session Report Manager | =8.1.0 | |
| Oracle Communications Session Report Manager | =8.1.1 | |
| Oracle Communications Session Report Manager | =8.2.0 | |
| Oracle Communications Session Route Manager | =8.0.0 | |
| Oracle Communications Session Route Manager | =8.1.0 | |
| Oracle Communications Session Route Manager | =8.1.1 | |
| Oracle Communications Session Route Manager | =8.2.0 | |
| Oracle Endeca Information Discovery Studio | =3.2.0 | |
| Oracle Enterprise Manager | =12.1.0.5 | |
| Oracle Enterprise Manager | =13.3.0.0 | |
| Oracle Enterprise Manager for Fusion Middleware | =12.1.0.5 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=7.3.3<=7.3.5 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.0.0<=8.0.8 | |
| Oracle Financial Services Compliance Regulatory Reporting | >=8.0.6<=8.0.8 | |
| Oracle Financial Services Funds Transfer Pricing | >=8.0.2<=8.0.7 | |
| Oracle FLEXCUBE Core Banking | =11.7.0 | |
| Oracle FLEXCUBE Core Banking | =11.8.0 | |
| Oracle FLEXCUBE Core Banking | =11.9.0 | |
| Oracle FLEXCUBE Core Banking | =11.10.0 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Oracle Hospitality Guest Access | =4.2.0 | |
| Oracle Hospitality Guest Access | =4.2.1 | |
| Oracle Instantis EnterpriseTrack | =17.1 | |
| Oracle Instantis EnterpriseTrack | =17.2 | |
| Oracle Instantis EnterpriseTrack | =17.3 | |
| Oracle Internet Directory | =12.2.1.3.0 | |
| Oracle Internet Directory | =12.2.1.4.0 | |
| Oracle Knowledge | >=8.6.0<=8.6.3 | |
| Oracle PeopleSoft Enterprise Human Capital Management | =7.3.5 | |
| Oracle PeopleSoft Enterprise Human Capital Management | =7.3.6 | |
| Oracle PeopleSoft Enterprise Human Capital Management | =9.2 | |
| Oracle PeopleTools | =8.56 | |
| Oracle PeopleTools | =8.57 | |
| Oracle PeopleTools | =8.58 | |
| Oracle Policy Automation | =10.4.6 | |
| Oracle Primavera Gateway | =16.2.11 | |
| Oracle Primavera Gateway | =17.12.6 | |
| Oracle Primavera Unifier | >=17.7<=17.12 | |
| Oracle Primavera Unifier | =16.1 | |
| Oracle Primavera Unifier | =16.2 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Rapid Planning | =12.1 | |
| Oracle Rapid Planning | =12.2 | |
| Oracle Real-Time Decisions | =3.2.1.0 | |
| Oracle Retail Order Broker | =15.0 | |
| Oracle Retail Order Broker | =16.0 | |
| Oracle Retail Order Broker | =18.0 | |
| Oracle Retail Xstore Office Cloud Service | =7.1 | |
| Tarantella Secure Global Desktop | =5.4 | |
| Tarantella Secure Global Desktop | =5.5 | |
| Oracle Siebel User Interface Framework | <=21.0 | |
| Oracle Tuxedo | =12.1.1.0.0 | |
| Oracle Tuxedo | =12.1.3 | |
| Oracle WebCenter Portal | =12.2.1.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread.html/r3a5baf5d76f1f2181be7f54da3deab70d7a38b5660b387583d05a8cd@%3Cjava-user.axis.apache.org%3E
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
- https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r3a5baf5d76f1f2181be7f54da3deab70d7a38b5660b387583d05a8cd%40%3Cjava-user.axis.apache.org%3E
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://nvd.nist.gov/vuln/detail/CVE-2019-0227
- https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis
- https://security.netapp.com/advisory/ntap-20240621-0006
- https://github.com/advisories/GHSA-h9gj-rqrw-x4fq (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/159283
- https://www.ibm.com/support/pages/node/7001693 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2019-0227?
The severity of CVE-2019-0227 is classified as high due to its potential for Server Side Request Forgery (SSRF) exploits.
How do I fix CVE-2019-0227?
To fix CVE-2019-0227, users are advised to upgrade to a version of Apache Axis later than 1.4 or build the software from source.
What are the affected software versions for CVE-2019-0227?
CVE-2019-0227 affects Apache Axis version 1.4 and certain Oracle and IBM products that integrate this library.
Is CVE-2019-0227 exploitable remotely?
Yes, CVE-2019-0227 can be exploited remotely due to its nature as a Server Side Request Forgery vulnerability.
What is the impact of a successful exploit of CVE-2019-0227?
A successful exploit of CVE-2019-0227 could allow an attacker to make unauthorized requests to internal systems and potentially gain access to sensitive data.
- agent/type
- agent/remedy
- agent/description
- agent/severity
- agent/author
- agent/weakness
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-h9gj-rqrw-x4fq
- alias/CVE-2019-0227
- agent/software-canonical-lookup
- agent/event
- collector/github-advisory
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- collector/nvd-index
- package-manager/maven
- vendor/ibm
- canonical/ibm security directory suite
- version/ibm security directory suite/8.0.1-8.0.1.19
- vendor/apache
- canonical/apache axis
- version/apache axis/1.4
- vendor/oracle
- canonical/oracle agile engineering data management
- version/oracle agile engineering data management/6.2.1.0
- canonical/oracle agile product lifecycle management
- version/oracle agile product lifecycle management/9.3.3
- canonical/oracle application testing suite
- version/oracle application testing suite/13.2.0.1
- version/oracle application testing suite/13.3.0.1
- canonical/oracle big data discovery
- version/oracle big data discovery/1.6
- canonical/oracle communications asap
- version/oracle communications asap/7.2
- version/oracle communications asap/7.3
- canonical/oracle communications design studio
- version/oracle communications design studio/7.3.4.3.0
- version/oracle communications design studio/7.3.5.5.0
- version/oracle communications design studio/7.4.0.4.0
- version/oracle communications design studio/7.4.1.1.0
- canonical/oracle communications element manager
- version/oracle communications element manager/8.0.0
- version/oracle communications element manager/8.1.0
- version/oracle communications element manager/8.1.1
- version/oracle communications element manager/8.2.0
- canonical/oracle communications network integrity
- version/oracle communications network integrity/7.3.5
- version/oracle communications network integrity/7.3.6
- canonical/oracle communications order and service management
- version/oracle communications order and service management/7.3.0.0.0
- version/oracle communications order and service management/7.4
- canonical/oracle communications session report manager
- version/oracle communications session report manager/8.0.0
- version/oracle communications session report manager/8.1.0
- version/oracle communications session report manager/8.1.1
- version/oracle communications session report manager/8.2.0
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.0.0
- version/oracle communications session route manager/8.1.0
- version/oracle communications session route manager/8.1.1
- version/oracle communications session route manager/8.2.0
- canonical/oracle endeca information discovery studio
- version/oracle endeca information discovery studio/3.2.0
- canonical/oracle enterprise manager
- version/oracle enterprise manager/12.1.0.5
- version/oracle enterprise manager/13.3.0.0
- canonical/oracle enterprise manager for fusion middleware
- version/oracle enterprise manager for fusion middleware/12.1.0.5
- canonical/oracle financial services analytical applications infrastructure
- version/oracle financial services analytical applications infrastructure/7.3.3
- version/oracle financial services analytical applications infrastructure/7.3.5
- version/oracle financial services analytical applications infrastructure/8.0.0
- version/oracle financial services analytical applications infrastructure/8.0.8
- canonical/oracle financial services compliance regulatory reporting
- version/oracle financial services compliance regulatory reporting/8.0.6
- version/oracle financial services compliance regulatory reporting/8.0.8
- canonical/oracle financial services funds transfer pricing
- version/oracle financial services funds transfer pricing/8.0.2
- version/oracle financial services funds transfer pricing/8.0.7
- canonical/oracle flexcube core banking
- version/oracle flexcube core banking/11.7.0
- version/oracle flexcube core banking/11.8.0
- version/oracle flexcube core banking/11.9.0
- version/oracle flexcube core banking/11.10.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- canonical/oracle hospitality guest access
- version/oracle hospitality guest access/4.2.0
- version/oracle hospitality guest access/4.2.1
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.2
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle internet directory
- version/oracle internet directory/12.2.1.3.0
- version/oracle internet directory/12.2.1.4.0
- canonical/oracle knowledge
- version/oracle knowledge/8.6.0
- version/oracle knowledge/8.6.3
- canonical/oracle peoplesoft enterprise human capital management
- version/oracle peoplesoft enterprise human capital management/7.3.5
- version/oracle peoplesoft enterprise human capital management/7.3.6
- version/oracle peoplesoft enterprise human capital management/9.2
- canonical/oracle peopletools
- version/oracle peopletools/8.56
- version/oracle peopletools/8.57
- version/oracle peopletools/8.58
- canonical/oracle policy automation
- version/oracle policy automation/10.4.6
- canonical/oracle primavera gateway
- version/oracle primavera gateway/16.2.11
- version/oracle primavera gateway/17.12.6
- canonical/oracle primavera unifier
- version/oracle primavera unifier/17.7
- version/oracle primavera unifier/17.12
- version/oracle primavera unifier/16.1
- version/oracle primavera unifier/16.2
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- canonical/oracle rapid planning
- version/oracle rapid planning/12.1
- version/oracle rapid planning/12.2
- canonical/oracle real-time decisions
- version/oracle real-time decisions/3.2.1.0
- canonical/oracle retail order broker
- version/oracle retail order broker/15.0
- version/oracle retail order broker/16.0
- version/oracle retail order broker/18.0
- canonical/oracle retail xstore office cloud service
- version/oracle retail xstore office cloud service/7.1
- canonical/tarantella secure global desktop
- version/tarantella secure global desktop/5.4
- version/tarantella secure global desktop/5.5
- canonical/oracle siebel user interface framework
- version/oracle siebel user interface framework/21.0
- canonical/oracle tuxedo
- version/oracle tuxedo/12.1.1.0.0
- version/oracle tuxedo/12.1.3
- canonical/oracle webcenter portal
- version/oracle webcenter portal/12.2.1.3.0