CVE-2023-40743

NameCVE-2023-40743
Description** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to "ServiceFactory.getService", or by applying the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3622-1
Debian Bugs1051288

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
axis (PTS)jessie1.4-22vulnerable
stretch (security), stretch (lts), stretch1.4-25+deb9u1vulnerable
buster1.4-28vulnerable
buster (security)1.4-28+deb10u1fixed
bullseye1.4-28+deb11u1fixed
bookworm1.4-28+deb12u1fixed
trixie, sid1.4-29fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
axissourcejessie(unfixed)end-of-life
axissourcestretch(unfixed)end-of-life
axissourcebuster1.4-28+deb10u1DLA-3622-1
axissourcebullseye1.4-28+deb11u1
axissourcebookworm1.4-28+deb12u1
axissource(unstable)1.4-291051288

Notes

https://www.openwall.com/lists/oss-security/2023/09/05/1
https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
Search for package or bug name: Reporting problems