Vulnerability Axis2 default Administrator Password
search cancel

Vulnerability Axis2 default Administrator Password

book

Article ID: 13994

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

The Axis2 administrator 'admin' has a password that is set to the default value of 'axis2'. As a result, anyone with access to the Axis2 port can trivially gain full access to the machine via arbitrary remote code execution.



How can I change the Axis2 default password ?

Environment

Platform Independant

Resolution

As a workaround, do the following: 

a. Stop the "Spectrum Tomcat Service" from Task Manager > Services (Windows) or the stopTomcat.sh script in $SPECROOT/tomcat/bin (Linux/Solaris). 

b. Edit the $SPECROOT/tomcat/webapps/axis2/WEB-INF/web.xml file, and remove the content of AxisAdminServlet's servlet and servlet mapping. 

The content to remove will look like the text below: 

<servlet>
        <servlet-name>AxisAdminServlet</servlet-name>
        <display-name>Apache-Axis AxisAdmin Servlet (Web Admin)</display-name>
        <servlet-class>
org.apache.axis2.webapp.AxisAdminServlet</servlet-class>
</servlet>

This will be followed further down in the file by the following servlet-mapping section, which also needs to be removed:
 
<servlet-mapping>
        <servlet-name>AxisAdminServlet</servlet-name>
        <url-pattern>/axis2-admin/*</url-pattern>
</servlet-mapping>


c. Regarding the username/password part, we have two options : 

i. Remove the username/password part from the axis2.xml file or 
ii. Change the username and password parameters in the axis2.xml file to stronger credentials that conform to your organization's password policies. 

<parameter name="userName">admin</parameter>
<parameter name="password">axis2</parameter> 

d. Start the "Spectrum Tomcat Service". 

Additional Information

Please reference "CVE-2010-0219" for more information on this vulnerability.

Powered by Wolken Software