[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-announce
Subject: [ANNOUNCE] Apache ODE 1.3.3
From: Matthieu Riou <mriou () apache ! org>
Date: 2009-08-08 4:41:03
Message-ID: fbdc6a970908072141w20a7a9d9ka1f896ad8073dffb () mail ! gmail ! com
[Download RAW message or body]
Hi,
I'm pleased to announce the release of ODE 1.3.3, a security release of
Apache ODE. It fixes a vulnerability in the process deployment that allowed,
using a forged message, to create, overwrite or delete files on the server
file system. See the full vulnerability announcement below.
Apache ODE is a WS-BPEL compliant web service orchestration engine. It
organizes web services calls following a process description written in the
BPEL XML grammar. Another way to describe it would be a web-service capable
workflow engine.
This new release also includes new features, bug fixes and improvements See
the release notes for an exhaustive list for
details.<https://issues.apache.org/jira/browse/ODE/fixforversion/12313906>
For more information, check the Apache ODE website:
http://ode.apache.org/
Apache ODE is an open source project released under a business-friendly
license (Apache License v2.0), as such we welcome your help and
contributions. To participate and get involved, our mailing lists are the
best resources to start from:
http://ode.apache.org/mailing-lists.html
Thank you,
The Apache ODE Team
------
CVE-2008-2370: Apache ODE information disclosure vulnerability
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE
2.0-beta1 and 2.0-beta2 are also affected.
Description: The process deployment web service was sensible to deployment
messages with forged names. Using a path for the name was allowing directory
traversal, resulting in the potential writing of files under unwanted
locations (like a new WAR under a webapp deployment directory), the
overwriting of existing files or their deletion.
Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should obtain
the latest source from svn or apply the patch published under
http://people.apache.org/~mriou/CVE-2008-2370-patch.txt<http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>.
Example: Deleting a file /tmp/blabla using undeploy by sending the following
message to the deployment service:
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:pmap="http://www.apache.org/ode/pmapi">
<soapenv:Header/>
<soapenv:Body>
<pmap:undeploy>
<packageName>../../../../../../../../../../../../../../tmp/blabla</packageName>
</pmap:undeploy>
</soapenv:Body>
</soapenv:Envelope>
Credit: This issue was discovered by Marc Schoenefeld of Red Hat.
[Attachment #3 (text/html)]
Hi,<br><br>I'm pleased to announce the release of ODE 1.3.3, a security release \
of Apache ODE. It fixes a vulnerability in the process deployment that allowed, using \
a forged message, to create, overwrite or delete files on the server file system. See \
the full vulnerability announcement below.<br>
<br>Apache ODE is a WS-BPEL compliant web service orchestration engine.
It organizes web services calls following a process description
written in the BPEL XML grammar. Another way to describe it would be a
web-service capable workflow engine.<br>
<br>
This new release also includes new features, bug fixes and improvements See the \
release notes for an exhaustive list for details.<a \
href="https://issues.apache.org/jira/browse/ODE/fixforversion/12313906" \
target="_blank"></a><br>
<br>
For more information, check the Apache ODE website:<br>
<a href="http://ode.apache.org/" target="_blank">http://ode.apache.org/</a><br>
<br>
Apache ODE is an open source project released under a
business-friendly license (Apache License v2.0), as such we welcome your help and \
contributions. To participate and get involved, our mailing lists are the best \
resources to start from:<br> <a href="http://ode.apache.org/mailing-lists.html" \
target="_blank">http://ode.apache.org/mailing-lists.html</a><br><br>Thank you,<br>The \
Apache ODE Team<br><br>------<br><p>CVE-2008-2370: Apache ODE information disclosure \
vulnerability
</p><p>Severity: Medium</p><p>Vendor:
The Apache Software Foundation
</p><p>Versions Affected: ODE 1.0-incubating to ODE 1.3.2.
The unsupported ODE 2.0-beta1 and 2.0-beta2 are also affected.
</p><p>Description: The process deployment web service was sensible to
deployment messages with forged names. Using a path for the name was
allowing directory traversal, resulting in the potential writing of
files under unwanted locations (like a new WAR under a webapp
deployment directory), the overwriting of existing files or their
deletion.<br>
</p><p>Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users
should obtain the latest source from svn or apply the patch published under <a \
href="http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt" \
target="_blank">http://people.apache.org/~mriou/CVE-2008-2370-patch.txt</a>. \
</p><p>Example: Deleting a file /tmp/blabla using undeploy by sending the following \
message to the deployment service:</p><p><?xml version="1.0" \
encoding="UTF-8"?><br> <soapenv:Envelope
xmlns:soapenv="<a href="http://schemas.xmlsoap.org/soap/envelope/" \
target="_blank">http://schemas.xmlsoap.org/soap/envelope/</a>" \
xmlns:pmap="<a href="http://www.apache.org/ode/pmapi" \
target="_blank">http://www.apache.org/ode/pmapi</a>"><br> \
<soapenv:Header/><br> <soapenv:Body><br>
<pmap:undeploy><br>
<packageName>../../../../../../../../../../../../../../tmp/blabla</packageName><br> \
</pmap:undeploy><br> </soapenv:Body><br></soapenv:Envelope><br> \
</p>Credit: This issue was discovered by Marc Schoenefeld of Red Hat.<br>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic