Apache Axis2 HappyAxis.jsp expose sensitive information
search cancel

Apache Axis2 HappyAxis.jsp expose sensitive information


Article ID: 137465


Updated On:


CA Spectrum


Apache Axis2 installation includes a JSP page accessible at axis2-web/HappyAxis.jsp (http://<hostname>/axis2/axis2-web/HappyAxis.jsp) that discloses at lot of sensitive information. An attacker could use this information to conduct further attacks.
Axis2 Web service deployed by default in $SPECROOT/tomcat/webapps/spectrum/


Release : 10.3

Component : Spectrum OneClick


If you don't need the feature provided by Axis2, then you can manually remove it from your installation location.

Please follow these steps and it should avoid this vulnerability:

    1. Stop the OneClick Tomcat service.
    2. Navigate to $SPECROOT/tomcat/webapps/axis2/axis2-web and delete/backup/move the HappyAxis.jsp file (move outside the tomcat folder)
    3. Navigate to $SPECROOT/tomcat/work/Catalina/localhost/axis2/org/apache/jsp/axis2_002dweb and delete both HappyAxis_jsp.java and HappyAxis_jsp.class files.
    4. Start the OneClick Tomcat service and test the vulnerability. As the file itself is not available it will not have any vulnerability.

This vulnerability will be addressed in Spectrum 21.2 release.