Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2013-05 Security Bulletin: Network and Security Manager: Multiple Apache Axis2 vulnerabilities fixed

0

0

Article ID: JSA10566 SECURITY_ADVISORIES Last Updated: 10 May 2013Version: 1.0
Legacy Advisory Id:
PSN-2013-05-938
Product Affected:
Network and Security Manager Products
Problem:
The Apache Axis2 service on Network and Security Manager (NSM) installations has an administrative account with a default password. This may allow an untrusted remote user to upload any arbitrary web service which can lead to complete compromise of the NSM system and devices managed by NSM. This issue is referenced by CVE-2010-0219.

Apache Axis2 service on NSM is also vulnerable to a Cross-site scripting issue CVE-2010-2103.

Following is a summary of CVE ids referenced in this advisory:

Component CVE ID CVSSv2 Base Score Summary
Apache Axis2 CVE-2010-2103 4.3 Cross-site scripting (XSS) vulnerability in axis2
CVE-2010-0219 10.0 Default administrative account with known password


Solution:
These vulnerabilities are fixed in NSM versions:
2012.2R2 or later
2012.1R6 or later
2011.4S9 or later
2010.3S12 or later


Workaround:
The Apache Axis2 default administrative account is not used by NSM products. It can be safely disabled by commenting out the userName and password parameters in axis2 configuration file located at: /usr/netscreen/GuiSvr/lib/webproxy/webapps/axis2/WEB-INF/conf/axis2.xml

1. Comment out the following lines by adding XML block comment delimiters <!-- before and --> after:

<parameter name="userName">admin</parameter>
<parameter name="password">*****</parameter>

For eg.,

<!--
<parameter name="userName">admin</parameter>
<parameter name="password">*****</parameter>
-->

2. Restart the following NSM server process:
/usr/netscreen/GuiSvr/bin/guiSvrWebProxy.sh restart


Implementation:

CVSS Score:
10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Severity Level:
Critical
Severity Assessment:
Score based on Apache Axes2 CVE-2010-0219
Acknowledgements:

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search