From c65efcb8b65ce297e04b9f68470846633a0d0e5abc8d8758a226ea8d5366d62f Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Thu, 8 Feb 2024 12:56:04 +0000 Subject: [PATCH] Accepting request 1145176 from home:gkenion:branches:Java:packages bsc#1218605, CVE-2023-51441 OBS-URL: https://build.opensuse.org/request/show/1145176 OBS-URL: https://build.opensuse.org/package/show/Java:packages/axis?expand=0&rev=58 --- axis-CVE-2023-51441.patch | 46 +++ axis-jdk11.patch | 740 +------------------------------------- axis.changes | 9 + axis.spec | 5 +- 4 files changed, 70 insertions(+), 730 deletions(-) create mode 100644 axis-CVE-2023-51441.patch diff --git a/axis-CVE-2023-51441.patch b/axis-CVE-2023-51441.patch new file mode 100644 index 0000000..2f4f507 --- /dev/null +++ b/axis-CVE-2023-51441.patch @@ -0,0 +1,46 @@ +Index: axis-1_4/src/org/apache/axis/client/ServiceFactory.java +=================================================================== +--- axis-1_4.orig/src/org/apache/axis/client/ServiceFactory.java ++++ axis-1_4/src/org/apache/axis/client/ServiceFactory.java +@@ -17,9 +17,11 @@ + package org.apache.axis.client; + + import org.apache.axis.EngineConfiguration; ++import org.apache.axis.components.logger.LogFactory; + import org.apache.axis.configuration.EngineConfigurationFactoryFinder; + import org.apache.axis.utils.ClassUtils; + import org.apache.axis.utils.Messages; ++import org.apache.commons.logging.Log; + + import javax.naming.Context; + import javax.naming.InitialContext; +@@ -47,6 +49,9 @@ import java.util.Properties; + public class ServiceFactory extends javax.xml.rpc.ServiceFactory + implements ObjectFactory + { ++ protected static Log log = ++ LogFactory.getLog(ServiceFactory.class.getName()); ++ + // Constants for RefAddrs in the Reference. + public static final String SERVICE_CLASSNAME = "service classname"; + public static final String WSDL_LOCATION = "WSDL location"; +@@ -106,6 +111,11 @@ public class ServiceFactory extends java + + if (context != null) { + String name = (String)environment.get("jndiName"); ++ ++ if(name!=null && (name.toUpperCase().indexOf("LDAP")!=-1 || name.toUpperCase().indexOf("RMI")!=-1 || name.toUpperCase().indexOf("JMS")!=-1 || name.toUpperCase().indexOf("JMX")!=-1) || name.toUpperCase().indexOf("JRMP")!=-1 || name.toUpperCase().indexOf("JAVA")!=-1 || name.toUpperCase().indexOf("DNS")!=-1 || name.toUpperCase().indexOf("IIOP")!=-1 || name.toUpperCase().indexOf("CORBANAME")!=-1) { ++ log.warn("returning null, jndiName received by ServiceFactory.getService() is not supported by this method: " + name); ++ return null; ++ } + if (name == null) { + name = "axisServiceName"; + } +@@ -120,6 +130,7 @@ public class ServiceFactory extends java + context.bind(name, service); + } catch (NamingException e1) { + // !!! Couldn't do it, what should we do here? ++ return null; + } + } + } else { diff --git a/axis-jdk11.patch b/axis-jdk11.patch index fcda579..6b7ca2b 100644 --- a/axis-jdk11.patch +++ b/axis-jdk11.patch @@ -1,102 +1,8 @@ ---- axis-1_4/src/org/apache/axis/deployment/wsdd/providers/WSDDJavaCORBAProvider.java 2006-04-23 03:57:26.000000000 +0200 -+++ axis-1_4/src/org/apache/axis/deployment/wsdd/providers/WSDDJavaCORBAProvider.java 2018-07-10 18:45:14.056601034 +0200 -@@ -1,45 +0,0 @@ --/* -- * Copyright 2001-2004 The Apache Software Foundation. -- * -- * Licensed under the Apache License, Version 2.0 (the "License"); -- * you may not use this file except in compliance with the License. -- * You may obtain a copy of the License at -- * -- * http://www.apache.org/licenses/LICENSE-2.0 -- * -- * Unless required by applicable law or agreed to in writing, software -- * distributed under the License is distributed on an "AS IS" BASIS, -- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -- * See the License for the specific language governing permissions and -- * limitations under the License. -- */ --package org.apache.axis.deployment.wsdd.providers; -- --import org.apache.axis.EngineConfiguration; --import org.apache.axis.Handler; --import org.apache.axis.deployment.wsdd.WSDDConstants; --import org.apache.axis.deployment.wsdd.WSDDProvider; --import org.apache.axis.deployment.wsdd.WSDDService; -- -- --/** -- * A WSDD CORBA provider -- * -- * @author Davanum Srinivas (dims@yahoo.com) -- */ --public class WSDDJavaCORBAProvider -- extends WSDDProvider --{ -- public String getName() { -- return WSDDConstants.PROVIDER_CORBA; -- } -- /** -- * -- */ -- public Handler newProviderInstance(WSDDService service, -- EngineConfiguration registry) -- throws Exception -- { -- return new org.apache.axis.providers.java.CORBAProvider(); -- } --} ---- axis-1_4/src/org/apache/axis/deployment/wsdd/providers/WSDDJavaEJBProvider.java 2006-04-23 03:57:27.000000000 +0200 -+++ axis-1_4/src/org/apache/axis/deployment/wsdd/providers/WSDDJavaEJBProvider.java 2018-07-10 18:45:55.864833720 +0200 -@@ -1,45 +0,0 @@ --/* -- * Copyright 2001-2004 The Apache Software Foundation. -- * -- * Licensed under the Apache License, Version 2.0 (the "License"); -- * you may not use this file except in compliance with the License. -- * You may obtain a copy of the License at -- * -- * http://www.apache.org/licenses/LICENSE-2.0 -- * -- * Unless required by applicable law or agreed to in writing, software -- * distributed under the License is distributed on an "AS IS" BASIS, -- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -- * See the License for the specific language governing permissions and -- * limitations under the License. -- */ --package org.apache.axis.deployment.wsdd.providers; -- --import org.apache.axis.EngineConfiguration; --import org.apache.axis.Handler; --import org.apache.axis.deployment.wsdd.WSDDConstants; --import org.apache.axis.deployment.wsdd.WSDDProvider; --import org.apache.axis.deployment.wsdd.WSDDService; -- -- --/** -- * A WSDD EJB provider -- * -- * @author Glen Daniels (gdaniels@apache.org) -- */ --public class WSDDJavaEJBProvider -- extends WSDDProvider --{ -- public String getName() { -- return WSDDConstants.PROVIDER_EJB; -- } -- /** -- * -- */ -- public Handler newProviderInstance(WSDDService service, -- EngineConfiguration registry) -- throws Exception -- { -- return new org.apache.axis.providers.java.EJBProvider(); -- } --} ---- axis-1_4/src/org/apache/axis/deployment/wsdd/WSDDConstants.java 2006-04-23 03:57:27.000000000 +0200 -+++ axis-1_4/src/org/apache/axis/deployment/wsdd/WSDDConstants.java 2018-07-10 19:12:50.137806540 +0200 -@@ -66,19 +66,15 @@ +Index: axis-1_4/src/org/apache/axis/deployment/wsdd/WSDDConstants.java +=================================================================== +--- axis-1_4.orig/src/org/apache/axis/deployment/wsdd/WSDDConstants.java ++++ axis-1_4/src/org/apache/axis/deployment/wsdd/WSDDConstants.java +@@ -66,19 +66,15 @@ public class WSDDConstants public static final String PROVIDER_RPC = "RPC"; public static final String PROVIDER_MSG = "MSG"; public static final String PROVIDER_HANDLER = "Handler"; @@ -116,9 +22,11 @@ public static final QName QNAME_RMI_PROVIDER = new QName(URI_WSDD_JAVA, PROVIDER_RMI); public static final String ELEM_WSDD_PARAM = "parameter"; ---- axis-1_4/src/org/apache/axis/deployment/wsdd/WSDDProvider.java 2006-04-23 03:57:27.000000000 +0200 -+++ axis-1_4/src/org/apache/axis/deployment/wsdd/WSDDProvider.java 2018-07-10 18:39:07.494560669 +0200 -@@ -21,8 +21,6 @@ +Index: axis-1_4/src/org/apache/axis/deployment/wsdd/WSDDProvider.java +=================================================================== +--- axis-1_4.orig/src/org/apache/axis/deployment/wsdd/WSDDProvider.java ++++ axis-1_4/src/org/apache/axis/deployment/wsdd/WSDDProvider.java +@@ -21,8 +21,6 @@ import org.apache.axis.components.logger import org.apache.axis.deployment.wsdd.providers.WSDDBsfProvider; import org.apache.axis.deployment.wsdd.providers.WSDDComProvider; import org.apache.axis.deployment.wsdd.providers.WSDDHandlerProvider; @@ -127,7 +35,7 @@ import org.apache.axis.deployment.wsdd.providers.WSDDJavaMsgProvider; import org.apache.axis.deployment.wsdd.providers.WSDDJavaRMIProvider; import org.apache.axis.deployment.wsdd.providers.WSDDJavaRPCProvider; -@@ -65,10 +63,8 @@ +@@ -65,10 +63,8 @@ public abstract class WSDDProvider providers.put(WSDDConstants.QNAME_JAVARPC_PROVIDER, new WSDDJavaRPCProvider()); providers.put(WSDDConstants.QNAME_JAVAMSG_PROVIDER, new WSDDJavaMsgProvider()); providers.put(WSDDConstants.QNAME_HANDLER_PROVIDER, new WSDDHandlerProvider()); @@ -138,629 +46,3 @@ providers.put(WSDDConstants.QNAME_RMI_PROVIDER, new WSDDJavaRMIProvider()); try { loadPluggableProviders(); ---- axis-1_4/src/org/apache/axis/providers/java/CORBAProvider.java 2006-04-23 03:57:26.000000000 +0200 -+++ axis-1_4/src/org/apache/axis/providers/java/CORBAProvider.java 2018-07-10 18:44:57.384508242 +0200 -@@ -1,131 +0,0 @@ --/* -- * Copyright 2001-2004 The Apache Software Foundation. -- * -- * Licensed under the Apache License, Version 2.0 (the "License"); -- * you may not use this file except in compliance with the License. -- * You may obtain a copy of the License at -- * -- * http://www.apache.org/licenses/LICENSE-2.0 -- * -- * Unless required by applicable law or agreed to in writing, software -- * distributed under the License is distributed on an "AS IS" BASIS, -- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -- * See the License for the specific language governing permissions and -- * limitations under the License. -- */ -- --package org.apache.axis.providers.java; -- --import org.apache.axis.Constants; --import org.apache.axis.Handler; --import org.apache.axis.MessageContext; --import org.apache.axis.components.logger.LogFactory; --import org.apache.axis.utils.ClassUtils; --import org.apache.commons.logging.Log; --import org.omg.CORBA.ORB; --import org.omg.CosNaming.NameComponent; --import org.omg.CosNaming.NamingContext; --import org.omg.CosNaming.NamingContextHelper; -- --import java.lang.reflect.Method; --import java.util.Properties; -- --/** -- * A basic CORBA Provider -- * -- * @author Davanum Srinivas (dims@yahoo.com) -- */ --public class CORBAProvider extends RPCProvider --{ -- protected static Log log = -- LogFactory.getLog(CORBAProvider.class.getName()); -- -- private static final String DEFAULT_ORB_INITIAL_HOST = "localhost"; -- private static final String DEFAULT_ORB_INITIAL_PORT = "900"; -- -- // The enterprise category is for stuff that an enterprise product might -- // want to track, but in a simple environment (like the AXIS build) would -- // be nothing more than a nuisance. -- protected static Log entLog = -- LogFactory.getLog(Constants.ENTERPRISE_LOG_CATEGORY); -- -- public static final String OPTION_ORB_INITIAL_HOST = "ORBInitialHost"; -- public static final String OPTION_ORB_INITIAL_PORT = "ORBInitialPort"; -- public static final String OPTION_NAME_ID = "NameID"; -- public static final String OPTION_NAME_KIND = "NameKind"; -- public static final String OPTION_INTERFACE_CLASSNAME = "InterfaceClassName"; -- public static final String OPTION_HELPER_CLASSNAME = "HelperClassName"; -- -- /** -- * Return a object which implements the service. -- * -- * @param msgContext the message context -- * @param clsName The JNDI name of the EJB home class -- * @return an object that implements the service -- */ -- protected Object makeNewServiceObject(MessageContext msgContext, -- String clsName) -- throws Exception -- { -- // Read deployment descriptor options -- String orbInitialHost = getStrOption(OPTION_ORB_INITIAL_HOST,msgContext.getService()); -- if (orbInitialHost == null) -- orbInitialHost = DEFAULT_ORB_INITIAL_HOST; -- String orbInitialPort = getStrOption(OPTION_ORB_INITIAL_PORT,msgContext.getService()); -- if (orbInitialPort == null) -- orbInitialPort = DEFAULT_ORB_INITIAL_PORT; -- String nameId = getStrOption(OPTION_NAME_ID,msgContext.getService()); -- String nameKind = getStrOption(OPTION_NAME_KIND,msgContext.getService()); -- String helperClassName = getStrOption(OPTION_HELPER_CLASSNAME,msgContext.getService()); -- -- // Initialize ORB -- Properties orbProps = new Properties(); -- orbProps.put("org.omg.CORBA.ORBInitialHost", orbInitialHost); -- orbProps.put("org.omg.CORBA.ORBInitialPort", orbInitialPort); -- ORB orb = ORB.init(new String[0], orbProps); -- -- // Find the object -- NamingContext root = NamingContextHelper.narrow(orb.resolve_initial_references("NameService")); -- NameComponent nc = new NameComponent(nameId, nameKind); -- NameComponent[] ncs = {nc}; -- org.omg.CORBA.Object corbaObject = root.resolve(ncs); -- -- Class helperClass = ClassUtils.forName(helperClassName); -- // Narrow the object reference -- Method narrowMethod = helperClass.getMethod("narrow", CORBA_OBJECT_CLASS); -- Object targetObject = narrowMethod.invoke(null, new Object[] {corbaObject}); -- -- return targetObject; -- } -- -- private static final Class[] CORBA_OBJECT_CLASS = new Class[] {org.omg.CORBA.Object.class}; -- -- /** -- * Return the option in the configuration that contains the service class -- * name. -- */ -- protected String getServiceClassNameOptionName() -- { -- return OPTION_INTERFACE_CLASSNAME; -- } -- -- /** -- * Get a String option by looking first in the service options, -- * and then at the Handler's options. This allows defaults to be -- * specified at the provider level, and then overriden for particular -- * services. -- * -- * @param optionName the option to retrieve -- * @return String the value of the option or null if not found in -- * either scope -- */ -- protected String getStrOption(String optionName, Handler service) -- { -- String value = null; -- if (service != null) -- value = (String)service.getOption(optionName); -- if (value == null) -- value = (String)getOption(optionName); -- return value; -- } -- } ---- axis-1_4/src/org/apache/axis/providers/java/EJBProvider.java 2006-04-23 03:57:26.000000000 +0200 -+++ axis-1_4/src/org/apache/axis/providers/java/EJBProvider.java 2018-07-10 18:45:30.176690761 +0200 -@@ -1,489 +0,0 @@ --/* -- * Copyright 2001-2004 The Apache Software Foundation. -- * -- * Licensed under the Apache License, Version 2.0 (the "License"); -- * you may not use this file except in compliance with the License. -- * You may obtain a copy of the License at -- * -- * http://www.apache.org/licenses/LICENSE-2.0 -- * -- * Unless required by applicable law or agreed to in writing, software -- * distributed under the License is distributed on an "AS IS" BASIS, -- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -- * See the License for the specific language governing permissions and -- * limitations under the License. -- */ -- --package org.apache.axis.providers.java; -- --import java.lang.reflect.Method; --import java.lang.reflect.InvocationTargetException; --import java.util.Properties; -- --import javax.naming.Context; --import javax.naming.InitialContext; -- --import org.apache.axis.AxisFault; --import org.apache.axis.Constants; --import org.apache.axis.Handler; --import org.apache.axis.MessageContext; --import org.apache.axis.components.logger.LogFactory; --import org.apache.axis.handlers.soap.SOAPService; --import org.apache.axis.utils.ClassUtils; --import org.apache.axis.utils.Messages; --import org.apache.commons.logging.Log; -- --/** -- * A basic EJB Provider -- * -- * @author Carl Woolf (cwoolf@macromedia.com) -- * @author Tom Jordahl (tomj@macromedia.com) -- * @author C?dric Chabanois (cchabanois@ifrance.com) -- */ --public class EJBProvider extends RPCProvider --{ -- protected static Log log = -- LogFactory.getLog(EJBProvider.class.getName()); -- -- // The enterprise category is for stuff that an enterprise product might -- // want to track, but in a simple environment (like the AXIS build) would -- // be nothing more than a nuisance. -- protected static Log entLog = -- LogFactory.getLog(Constants.ENTERPRISE_LOG_CATEGORY); -- -- public static final String OPTION_BEANNAME = "beanJndiName"; -- public static final String OPTION_HOMEINTERFACENAME = "homeInterfaceName"; -- public static final String OPTION_REMOTEINTERFACENAME = "remoteInterfaceName"; -- public static final String OPTION_LOCALHOMEINTERFACENAME = "localHomeInterfaceName"; -- public static final String OPTION_LOCALINTERFACENAME = "localInterfaceName"; -- -- -- public static final String jndiContextClass = "jndiContextClass"; -- public static final String jndiURL = "jndiURL"; -- public static final String jndiUsername = "jndiUser"; -- public static final String jndiPassword = "jndiPassword"; -- -- protected static final Class[] empty_class_array = new Class[0]; -- protected static final Object[] empty_object_array = new Object[0]; -- -- private static InitialContext cached_context = null; -- -- /////////////////////////////////////////////////////////////// -- /////////////////////////////////////////////////////////////// -- /////// Default methods from JavaProvider ancestor, overridden -- /////// for ejbeans -- /////////////////////////////////////////////////////////////// -- /////////////////////////////////////////////////////////////// -- -- /** -- * Return a object which implements the service. -- * -- * @param msgContext the message context -- * @param clsName The JNDI name of the EJB home class -- * @return an object that implements the service -- */ -- protected Object makeNewServiceObject(MessageContext msgContext, -- String clsName) -- throws Exception -- { -- String remoteHomeName = getStrOption(OPTION_HOMEINTERFACENAME, -- msgContext.getService()); -- String localHomeName = getStrOption(OPTION_LOCALHOMEINTERFACENAME, -- msgContext.getService()); -- String homeName = (remoteHomeName != null ? remoteHomeName:localHomeName); -- -- if (homeName == null) { -- // cannot find both remote home and local home -- throw new AxisFault( -- Messages.getMessage("noOption00", -- OPTION_HOMEINTERFACENAME, -- msgContext.getTargetService())); -- } -- -- // Load the Home class name given in the config file -- Class homeClass = ClassUtils.forName(homeName, true, msgContext.getClassLoader()); -- -- // we create either the ejb using either the RemoteHome or LocalHome object -- if (remoteHomeName != null) -- return createRemoteEJB(msgContext, clsName, homeClass); -- else -- return createLocalEJB(msgContext, clsName, homeClass); -- } -- -- /** -- * Create an EJB using a remote home object -- * -- * @param msgContext the message context -- * @param beanJndiName The JNDI name of the EJB remote home class -- * @param homeClass the class of the home interface -- * @return an EJB -- */ -- private Object createRemoteEJB(MessageContext msgContext, -- String beanJndiName, -- Class homeClass) -- throws Exception -- { -- // Get the EJB Home object from JNDI -- Object ejbHome = getEJBHome(msgContext.getService(), -- msgContext, beanJndiName); -- Object ehome = javax.rmi.PortableRemoteObject.narrow(ejbHome, homeClass); -- -- // Invoke the create method of the ejbHome class without actually -- // touching any EJB classes (i.e. no cast to EJBHome) -- Method createMethod = homeClass.getMethod("create", empty_class_array); -- Object result = createMethod.invoke(ehome, empty_object_array); -- -- return result; -- } -- -- /** -- * Create an EJB using a local home object -- * -- * @param msgContext the message context -- * @param beanJndiName The JNDI name of the EJB local home class -- * @param homeClass the class of the home interface -- * @return an EJB -- */ -- private Object createLocalEJB(MessageContext msgContext, -- String beanJndiName, -- Class homeClass) -- throws Exception -- { -- // Get the EJB Home object from JNDI -- Object ejbHome = getEJBHome(msgContext.getService(), -- msgContext, beanJndiName); -- -- // the home object is a local home object -- Object ehome; -- if (homeClass.isInstance(ejbHome)) -- ehome = ejbHome; -- else -- throw new ClassCastException( -- Messages.getMessage("badEjbHomeType")); -- -- // Invoke the create method of the ejbHome class without actually -- // touching any EJB classes (i.e. no cast to EJBLocalHome) -- Method createMethod = homeClass.getMethod("create", empty_class_array); -- Object result = createMethod.invoke(ehome, empty_object_array); -- -- return result; -- } -- -- /** -- * Tells if the ejb that will be used to handle this service is a remote -- * one -- */ -- private boolean isRemoteEjb(SOAPService service) -- { -- return getStrOption(OPTION_HOMEINTERFACENAME,service) != null; -- } -- -- /** -- * Tells if the ejb that will be used to handle this service is a local -- * one -- */ -- private boolean isLocalEjb(SOAPService service) -- { -- return (!isRemoteEjb(service)) && -- (getStrOption(OPTION_LOCALHOMEINTERFACENAME,service) != null); -- } -- -- -- /** -- * Return the option in the configuration that contains the service class -- * name. In the EJB case, it is the JNDI name of the bean. -- */ -- protected String getServiceClassNameOptionName() -- { -- return OPTION_BEANNAME; -- } -- -- /** -- * Get a String option by looking first in the service options, -- * and then at the Handler's options. This allows defaults to be -- * specified at the provider level, and then overriden for particular -- * services. -- * -- * @param optionName the option to retrieve -- * @return String the value of the option or null if not found in -- * either scope -- */ -- protected String getStrOption(String optionName, Handler service) -- { -- String value = null; -- if (service != null) -- value = (String)service.getOption(optionName); -- if (value == null) -- value = (String)getOption(optionName); -- return value; -- } -- -- /** -- * Get the remote interface of an ejb from its home class. -- * This function can only be used for remote ejbs -- * -- * @param beanJndiName the jndi name of the ejb -- * @param service the soap service -- * @param msgContext the message context (can be null) -- */ -- private Class getRemoteInterfaceClassFromHome(String beanJndiName, -- SOAPService service, -- MessageContext msgContext) -- throws Exception -- { -- // Get the EJB Home object from JNDI -- Object ejbHome = getEJBHome(service, msgContext, beanJndiName); -- -- String homeName = getStrOption(OPTION_HOMEINTERFACENAME, -- service); -- if (homeName == null) -- throw new AxisFault( -- Messages.getMessage("noOption00", -- OPTION_HOMEINTERFACENAME, -- service.getName())); -- -- // Load the Home class name given in the config file -- ClassLoader cl = (msgContext != null) ? -- msgContext.getClassLoader() : -- Thread.currentThread().getContextClassLoader(); -- Class homeClass = ClassUtils.forName(homeName, true, cl); -- -- -- // Make sure the object we got back from JNDI is the same type -- // as the what is specified in the config file -- Object ehome = javax.rmi.PortableRemoteObject.narrow(ejbHome, homeClass); -- -- // This code requires the use of ejb.jar, so we do the stuff below -- // EJBHome ejbHome = (EJBHome) ehome; -- // EJBMetaData meta = ejbHome.getEJBMetaData(); -- // Class interfaceClass = meta.getRemoteInterfaceClass(); -- -- // Invoke the getEJBMetaData method of the ejbHome class without -- // actually touching any EJB classes (i.e. no cast to EJBHome) -- Method getEJBMetaData = -- homeClass.getMethod("getEJBMetaData", empty_class_array); -- Object metaData = getEJBMetaData.invoke(ehome, empty_object_array); -- Method getRemoteInterfaceClass = -- metaData.getClass().getMethod("getRemoteInterfaceClass", -- empty_class_array); -- return (Class) getRemoteInterfaceClass.invoke(metaData, -- empty_object_array); -- } -- -- -- /** -- * Get the class description for the EJB Remote or Local Interface, -- * which is what we are interested in exposing to the world (i.e. in WSDL). -- * -- * @param msgContext the message context (can be null) -- * @param beanJndiName the JNDI name of the EJB -- * @return the class info of the EJB remote or local interface -- */ -- protected Class getServiceClass(String beanJndiName, -- SOAPService service, -- MessageContext msgContext) -- throws AxisFault -- { -- Class interfaceClass = null; -- -- try { -- // First try to get the interface class from the configuation -- // Note that we don't verify that remote remoteInterfaceName is used for -- // remote ejb and localInterfaceName for local ejb. Should we ? -- String remoteInterfaceName = -- getStrOption(OPTION_REMOTEINTERFACENAME, service); -- String localInterfaceName = -- getStrOption(OPTION_LOCALINTERFACENAME, service); -- String interfaceName = (remoteInterfaceName != null ? remoteInterfaceName : localInterfaceName); -- -- if(interfaceName != null){ -- ClassLoader cl = (msgContext != null) ? -- msgContext.getClassLoader() : -- Thread.currentThread().getContextClassLoader(); -- interfaceClass = ClassUtils.forName(interfaceName, -- true, -- cl); -- } -- else -- { -- // cannot get the interface name from the configuration, we get -- // it from the EJB Home (if remote) -- if (isRemoteEjb(service)) { -- interfaceClass = getRemoteInterfaceClassFromHome(beanJndiName, -- service, -- msgContext); -- } -- else -- if (isLocalEjb(service)) { -- // we cannot get the local interface from the local ejb home -- // localInterfaceName is mandatory for local ejbs -- throw new AxisFault( -- Messages.getMessage("noOption00", -- OPTION_LOCALINTERFACENAME, -- service.getName())); -- } -- else -- { -- // neither a local ejb or a remote one ... -- throw new AxisFault(Messages.getMessage("noOption00", -- OPTION_HOMEINTERFACENAME, -- service.getName())); -- } -- } -- } catch (Exception e) { -- throw AxisFault.makeFault(e); -- } -- -- // got it, return it -- return interfaceClass; -- } -- -- /** -- * Common routine to do the JNDI lookup on the Home interface object -- * username and password for jndi lookup are got from the configuration or from -- * the messageContext if not found in the configuration -- */ -- private Object getEJBHome(SOAPService serviceHandler, -- MessageContext msgContext, -- String beanJndiName) -- throws AxisFault -- { -- Object ejbHome = null; -- -- // Set up an InitialContext and use it get the beanJndiName from JNDI -- try { -- Properties properties = null; -- -- // collect all the properties we need to access JNDI: -- // username, password, factoryclass, contextUrl -- -- // username -- String username = getStrOption(jndiUsername, serviceHandler); -- if ((username == null) && (msgContext != null)) -- username = msgContext.getUsername(); -- if (username != null) { -- if (properties == null) -- properties = new Properties(); -- properties.setProperty(Context.SECURITY_PRINCIPAL, username); -- } -- -- // password -- String password = getStrOption(jndiPassword, serviceHandler); -- if ((password == null) && (msgContext != null)) -- password = msgContext.getPassword(); -- if (password != null) { -- if (properties == null) -- properties = new Properties(); -- properties.setProperty(Context.SECURITY_CREDENTIALS, password); -- } -- -- // factory class -- String factoryClass = getStrOption(jndiContextClass, serviceHandler); -- if (factoryClass != null) { -- if (properties == null) -- properties = new Properties(); -- properties.setProperty(Context.INITIAL_CONTEXT_FACTORY, factoryClass); -- } -- -- // contextUrl -- String contextUrl = getStrOption(jndiURL, serviceHandler); -- if (contextUrl != null) { -- if (properties == null) -- properties = new Properties(); -- properties.setProperty(Context.PROVIDER_URL, contextUrl); -- } -- -- // get context using these properties -- InitialContext context = getContext(properties); -- -- // if we didn't get a context, fail -- if (context == null) -- throw new AxisFault( Messages.getMessage("cannotCreateInitialContext00")); -- -- ejbHome = getEJBHome(context, beanJndiName); -- -- if (ejbHome == null) -- throw new AxisFault( Messages.getMessage("cannotFindJNDIHome00",beanJndiName)); -- } -- // Should probably catch javax.naming.NameNotFoundException here -- catch (Exception exception) { -- entLog.info(Messages.getMessage("toAxisFault00"), exception); -- throw AxisFault.makeFault(exception); -- } -- -- return ejbHome; -- } -- -- protected InitialContext getCachedContext() -- throws javax.naming.NamingException -- { -- if (cached_context == null) -- cached_context = new InitialContext(); -- return cached_context; -- } -- -- -- protected InitialContext getContext(Properties properties) -- throws AxisFault, javax.naming.NamingException -- { -- // if we got any stuff from the configuration file -- // create a new context using these properties -- // otherwise, we get a default context and cache it for next time -- return ((properties == null) -- ? getCachedContext() -- : new InitialContext(properties)); -- } -- -- protected Object getEJBHome(InitialContext context, String beanJndiName) -- throws AxisFault, javax.naming.NamingException -- { -- // Do the JNDI lookup -- return context.lookup(beanJndiName); -- } -- -- /** -- * Override the default implementation such that we can include -- * special handling for {@link java.rmi.ServerException}. -- *

-- * Converts {@link java.rmi.ServerException} exceptions to -- * {@link InvocationTargetException} exceptions with the same cause. -- * This allows the axis framework to create a SOAP fault. -- *

-- * -- * @see org.apache.axis.providers.java.RPCProvider#invokeMethod(org.apache.axis.MessageContext, java.lang.reflect.Method, java.lang.Object, java.lang.Object[]) -- */ -- protected Object invokeMethod(MessageContext msgContext, Method method, -- Object obj, Object[] argValues) -- throws Exception { -- try { -- return super.invokeMethod(msgContext, method, obj, argValues); -- } catch (InvocationTargetException ite) { -- Throwable cause = getCause(ite); -- if (cause instanceof java.rmi.ServerException) { -- throw new InvocationTargetException(getCause(cause)); -- } -- throw ite; -- } -- } -- -- /** -- * Get the cause of an exception, using reflection so that -- * it still works under JDK 1.3 -- * -- * @param original the original exception -- * @return the cause of the exception, or the given exception if the cause cannot be discovered. -- */ -- private Throwable getCause(Throwable original) { -- try { -- Method method = original.getClass().getMethod("getCause", null); -- Throwable cause = (Throwable) method.invoke(original, null); -- if (cause != null) { -- return cause; -- } -- } catch (NoSuchMethodException nsme) { -- // ignore, this occurs under JDK 1.3 -- } catch (Throwable t) { -- } -- return original; -- } --} diff --git a/axis.changes b/axis.changes index 71b08bc..59a0b85 100644 --- a/axis.changes +++ b/axis.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Feb 8 12:32:59 UTC 2024 - Gus Kenion + + - Security fix [bsc#1218605, CVE-2023-51441] SSRF when untrusted + input is passed to the service admin HTTP API + * Added axis-CVE-2023-51441.patch + - Update axis-jdk11.patch, remove references to files that are + no longer present. + ------------------------------------------------------------------- Mon Mar 21 13:15:13 UTC 2022 - Fridrich Strba diff --git a/axis.spec b/axis.spec index 67bf9d7..7b7201d 100644 --- a/axis.spec +++ b/axis.spec @@ -1,7 +1,7 @@ # # spec file for package axis # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -52,6 +52,8 @@ Patch8: axis-jdk11.patch # PATCH-FIX-UPSTREAM bsc#1134598 CVE-2012-5784 CVE-2014-3596 missing connection hostname check against X.509 certificate name Patch9: axis-CVE-2014-3596.patch Patch10: unimplemented-saaj13-methods.patch +# PATCH-FIX-UPSTREAM bsc#1218605 CVE-2023-51441 SSRF when untrusted input is passed to the service admin HTTP API +Patch11: axis-CVE-2023-51441.patch BuildRequires: ant BuildRequires: ant-jdepend BuildRequires: antlr @@ -108,6 +110,7 @@ cp %{SOURCE5} %{SOURCE6} %{SOURCE7} . %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 # Remove provided binaries find . "(" -name "*.jar" -o -name "*.zip" -o -name "*.class" ")" -delete