Products Affected: Network and Security Manager, NSMXpress/NSMXpress HA, NSM3000 Risk Assessment: CVSSv2 Base Score 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) based on Apache Axes2 CVE-2010-0219. Risk Level: Critical CVE: CVE-2010-0219, CVE-2010-2103
Problem or Goal:
The Apache Axis2 service on Network and Security Manager (NSM) installations has an administrative account with a default password. This may allow an untrusted remote user to upload any arbitrary web service which can lead to complete compromise of the NSM system and devices managed by NSM. This issue is referenced by CVE-2010-0219.
Apache Axis2 service on NSM is also vulnerable to a Cross-site scripting issue CVE-2010-2103.
Following is a summary of CVE ids referenced in this advisory:
Default administrative account with known password
These vulnerabilities are fixed in NSM versions:
2012.2R2 or later
2012.1R6 or later
2011.4S9 or later
2010.3S12 or later
The Apache Axis2 default administrative account is not used by NSM products. It can be safely disabled by commenting out the userName and password parameters in axis2 configuration file located at: /usr/netscreen/GuiSvr/lib/webproxy/webapps/axis2/WEB-INF/conf/axis2.xml
1. Comment out the following lines by adding XML block comment delimiters <!-- before and --> after: