CVE-2023-40743: Apache Axis 1.x (EOL) may allow RCE when untrusted input is passed to getService
First published: Tue Sep 05 2023(Updated: )
** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to "ServiceFactory.getService", or by applying the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Axis | <2023-08-01 | |
| maven/axis:axis | <=1.4 | |
| maven/org.apache.axis:axis | <=1.4 | |
| IBM R9.2 | <=89.22.19.0 | |
| IBM R9.3 | <=89.30.68.0 89.32.40.0 89.33.48.0 | |
| <2023-08-01 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
- https://lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82
- https://lists.debian.org/debian-lts-announce/2023/10/msg00025.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-40743
- https://github.com/advisories/GHSA-rmqp-9w4c-gc7w (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/265157
- https://www.ibm.com/support/pages/node/7130084 (Advisory)
Frequently Asked Questions
What is CVE-2023-40743?
CVE-2023-40743 is a vulnerability in Apache Axis 1.x that may allow remote code execution (RCE) when untrusted input is passed to the "getService" function.
What is the severity of CVE-2023-40743?
CVE-2023-40743 has a severity rating of critical with a CVSS score of 9.8.
How does CVE-2023-40743 affect Apache Axis 1.x?
CVE-2023-40743 affects Apache Axis 1.x by allowing potentially dangerous lookup mechanisms such as LDAP when using the "ServiceFactory.getService" function with untrusted input.
How can I fix CVE-2023-40743?
To fix CVE-2023-40743, it is recommended to upgrade to a supported version of Apache Axis or apply the necessary patches and security updates provided by the vendor.
Where can I find more information about CVE-2023-40743?
You can find more information about CVE-2023-40743 in the references provided: [Reference 1](https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210), [Reference 2](https://lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82), [Reference 3](https://lists.debian.org/debian-lts-announce/2023/10/msg00025.html).
- collector/oss-sec
- alias/CVE-2023-40743
- collector/nvd-index
- agent/weakness
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/severity
- agent/title
- agent/references
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-rmqp-9w4c-gc7w
- agent/software-canonical-lookup
- agent/status
- agent/description
- collector/github-advisory
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- agent/tags
- agent/event
- collector/nvd-api
- agent/last-modified-date
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- status/unsupported
- vendor/apache
- canonical/apache axis
- package-manager/maven
- vendor/ibm
- canonical/ibm r9.2
- version/ibm r9.2/89.22.19.0
- canonical/ibm r9.3
- version/ibm r9.3/89.30.68.0 89.32.40.0 89.33.48.0