Knowledge Search


2013-05 Security Bulletin: Network and Security Manager: Multiple Apache Axis2 vulnerabilities fixed

  [JSA10566] Show Article Properties

Legacy Advisory Id:
Product Affected:
Network and Security Manager Products
The Apache Axis2 service on Network and Security Manager (NSM) installations has an administrative account with a default password. This may allow an untrusted remote user to upload any arbitrary web service which can lead to complete compromise of the NSM system and devices managed by NSM. This issue is referenced by CVE-2010-0219.

Apache Axis2 service on NSM is also vulnerable to a Cross-site scripting issue CVE-2010-2103.

Following is a summary of CVE ids referenced in this advisory:

Component CVE ID CVSSv2 Base Score Summary
Apache Axis2 CVE-2010-2103 4.3 Cross-site scripting (XSS) vulnerability in axis2
CVE-2010-0219 10.0 Default administrative account with known password

These vulnerabilities are fixed in NSM versions:
2012.2R2 or later
2012.1R6 or later
2011.4S9 or later
2010.3S12 or later

The Apache Axis2 default administrative account is not used by NSM products. It can be safely disabled by commenting out the userName and password parameters in axis2 configuration file located at: /usr/netscreen/GuiSvr/lib/webproxy/webapps/axis2/WEB-INF/conf/axis2.xml

1. Comment out the following lines by adding XML block comment delimiters <!-- before and --> after:

<parameter name="userName">admin</parameter>
<parameter name="password">*****</parameter>

For eg.,

<parameter name="userName">admin</parameter>
<parameter name="password">*****</parameter>

2. Restart the following NSM server process:
/usr/netscreen/GuiSvr/bin/ restart


Related Links:
CVSS Score:
10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Severity Level:
Severity Assessment:
Score based on Apache Axes2 CVE-2010-0219