LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Development page

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Apache ODE 1.3.3 announced

[Posted August 11, 2009 by cook]

From:  Matthieu Riou <mriou-1oDqGaOF3Lkdnm+yROfE0A-AT-public.gmane.org>
To:  security-1oDqGaOF3Lkdnm+yROfE0A-AT-public.gmane.org, full-disclosure-yjGSz5NhYZxwCIiogXJnzFpr/1R2p/CL-AT-public.gmane.org, bugtraq-o7tR/nIX9Vi1EmJ4MpGYnQC/G2K4zDHf-AT-public.gmane.org, dev-rD4Y0WAubPYuJ1f4ENuQhw-AT-public.gmane.org, user-rD4Y0WAubPYuJ1f4ENuQhw-AT-public.gmane.org, Marc Schoenefeld <mschoene-H+wXaHxf7aLQT0dZR+AlfA-AT-public.gmane.org>, announce-1oDqGaOF3Lkdnm+yROfE0A-AT-public.gmane.org
Subject:  [ANNOUNCE] Apache ODE 1.3.3
Date:  Fri, 7 Aug 2009 21:41:03 -0700
Message-ID:  <fbdc6a970908072141w20a7a9d9ka1f896ad8073dffb@mail.gmail.com>
Archive-link:  Article, Thread 

Hi,

I'm pleased to announce the release of ODE 1.3.3, a security release of
Apache ODE. It fixes a vulnerability in the process deployment that allowed,
using a forged message, to create, overwrite or delete files on the server
file system. See the full vulnerability announcement below.

Apache ODE is a WS-BPEL compliant web service orchestration engine. It
organizes web services calls following a process description written in the
BPEL XML grammar. Another way to describe it would be a web-service capable
workflow engine.

This new release also includes new features, bug fixes and improvements See
the release notes for an exhaustive list for
details.<https://issues.apache.org/jira/browse/ODE/fixforversion/1...>

For more information, check the Apache ODE website:
http://ode.apache.org/

Apache ODE is an open source project released under a business-friendly
license (Apache License v2.0), as such we welcome your help and
contributions. To participate and get involved, our mailing lists are the
best resources to start from:
http://ode.apache.org/mailing-lists.html

Thank you,
The Apache ODE Team

------

CVE-2008-2370: Apache ODE information disclosure vulnerability

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE
2.0-beta1 and 2.0-beta2 are also affected.

Description: The process deployment web service was sensible to deployment
messages with forged names. Using a path for the name was allowing directory
traversal, resulting in the potential writing of files under unwanted
locations (like a new WAR under a webapp deployment directory), the
overwriting of existing files or their deletion.

Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should obtain
the latest source from svn or apply the patch published under
http://people.apache.org/~mriou/CVE-2008-2370-patch.txt<...>.


Example: Deleting a file /tmp/blabla using undeploy by sending the following
message to the deployment service:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:pmap="http://www.apache.org/ode/pmapi">
  <soapenv:Header/>
  <soapenv:Body>
     <pmap:undeploy>
<packageName>../../../../../../../../../../../../../../tmp/blabla</packageName>
     </pmap:undeploy>
  </soapenv:Body>
</soapenv:Envelope>
Credit: This issue was discovered by ?Marc Schoenefeld of Red Hat.
(Log in to post comments)

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds