Knowledge Center Search


 

2013-05 Security Bulletin: Network and Security Manager: Multiple Apache Axis2 vulnerabilities fixed

  [JSA10566] Show KB Properties

  [JSA10566] Hide KB Properties

Categories:
Security Advisories ID: JSA10566
Last Updated: 10 May 2013
Version: 1.0

Legacy Advisory Id:
PSN-2013-05-938

Product Affected:
Network and Security Manager Products

Problem:
The Apache Axis2 service on Network and Security Manager (NSM) installations has an administrative account with a default password. This may allow an untrusted remote user to upload any arbitrary web service which can lead to complete compromise of the NSM system and devices managed by NSM. This issue is referenced by CVE-2010-0219.

Apache Axis2 service on NSM is also vulnerable to a Cross-site scripting issue CVE-2010-2103.

Following is a summary of CVE ids referenced in this advisory:

Component CVE ID CVSSv2 Base Score Summary
Apache Axis2 CVE-2010-2103 4.3 Cross-site scripting (XSS) vulnerability in axis2
CVE-2010-0219 10.0 Default administrative account with known password


Solution:
These vulnerabilities are fixed in NSM versions:
2012.2R2 or later
2012.1R6 or later
2011.4S9 or later
2010.3S12 or later


Workaround:
The Apache Axis2 default administrative account is not used by NSM products. It can be safely disabled by commenting out the userName and password parameters in axis2 configuration file located at: /usr/netscreen/GuiSvr/lib/webproxy/webapps/axis2/WEB-INF/conf/axis2.xml

1. Comment out the following lines by adding XML block comment delimiters <!-- before and --> after:

<parameter name="userName">admin</parameter>
<parameter name="password">*****</parameter>

For eg.,

<!--
<parameter name="userName">admin</parameter>
<parameter name="password">*****</parameter>
-->

2. Restart the following NSM server process:
/usr/netscreen/GuiSvr/bin/guiSvrWebProxy.sh restart


Implementation:

Related Links:

CVSS Score:
10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Risk Level:
Critical

Risk Assessment:
Score based on Apache Axes2 CVE-2010-0219

Acknowledgements:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.