Apache Axis2 HappyAxis.jsp expose sensitive information
search cancel

Apache Axis2 HappyAxis.jsp expose sensitive information

book

Article ID: 137465

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

Apache Axis2 installation includes a JSP page accessible at axis2-web/HappyAxis.jsp (http://<hostname>/axis2/axis2-web/HappyAxis.jsp) that discloses at lot of sensitive information. An attacker could use this information to conduct further attacks.
 
Axis2 Web service deployed by default in $SPECROOT/tomcat/webapps/spectrum/

Environment

Release : 10.3

Component : Spectrum OneClick

Resolution

If you don't need the feature provided by Axis2, then you can manually remove it from your installation location.

Please follow these steps and it should avoid this vulnerability:

    1. Stop the OneClick Tomcat service.
    2. Navigate to $SPECROOT/tomcat/webapps/axis2/axis2-web and delete/backup/move the HappyAxis.jsp file (move outside the tomcat folder)
    3. Navigate to $SPECROOT/tomcat/work/Catalina/localhost/axis2/org/apache/jsp/axis2_002dweb and delete both HappyAxis_jsp.java and HappyAxis_jsp.class files.
    4. Start the OneClick Tomcat service and test the vulnerability. As the file itself is not available it will not have any vulnerability.

This vulnerability will be addressed in Spectrum 21.2 release.

Powered by Wolken Software