[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kandula-dev
Subject:    [jira] [Commented] (AXIS2-5911) Update Axis2 FAQ to include production hardening tips
From:       "Andreas Veithen (JIRA)" <jira () apache ! org>
Date:       2018-03-19 23:15:00
Message-ID: JIRA.13145380.1521121958000.56472.1521501300050 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/AXIS2-5911?page=com.atlassian.jira.plugin. \
system.issuetabpanels:comment-tabpanel&focusedCommentId=16405577#comment-16405577 ] 

Andreas Veithen commented on AXIS2-5911:
----------------------------------------

I don't understand. The error messages basically mean that the Veracode thing is too \
dumb to properly compile the JSPs. The only known problem is the weak default \
password. If we remove that and instead use container security, then it would be \
disabled by default.

> Update Axis2 FAQ to include production hardening tips
> -----------------------------------------------------
> 
> Key: AXIS2-5911
> URL: https://issues.apache.org/jira/browse/AXIS2-5911
> Project: Axis2
> Issue Type: Improvement
> Reporter: robert lazarski
> Assignee: robert lazarski
> Priority: Major
> 
> The axis2 mailing list is getting frequent requests for help, regarding 3rd party \
> penetration testing tool reports. Jira issues are also getting created.  A lot of \
> these reports are in the localhost:8080/axis2/axis2-web section for example. Its \
> not mandatory to run HappyAxis.jsp in prod - arguably we should discourage it. \
> There are "enumeration" vulnerabilities and info leakage issues in the axis2-web \
> section.This whole axis2-web section is disabled in my day job, for example.  \
> axis2-admin is another area that will perhaps be off by default in an upcoming \
> release, since the current implementation uses weak passwords, see AXIS2-5910.   \
> 500 Exceptions are easy to create with Axis2 since it requires specific parameters \
> in the payload, therefore penetration testing will likely cause them. Customized \
> error handling via the web.xml could be recommended in the FAQ. Any thoughts, \
> comments or concerns [~veithen] ?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic