ode-user mailing list archives

Site index · List index

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	Matthieu Riou <mr...@apache.org>
Subject	[ANNOUNCE] Apache ODE 1.3.3
Date	Sat, 08 Aug 2009 04:41:03 GMT
Hi, I'm pleased to announce the release of ODE 1.3.3, a security release of Apache ODE. It fixes a vulnerability in the process deployment that allowed= , using a forged message, to create, overwrite or delete files on the server file system. See the full vulnerability announcement below. Apache ODE is a WS-BPEL compliant web service orchestration engine. It organizes web services calls following a process description written in the BPEL XML grammar. Another way to describe it would be a web-service capable workflow engine. This new release also includes new features, bug fixes and improvements See the release notes for an exhaustive list for details.<https://issues.apache.org/jira/browse/ODE/fixforversion/12313906> For more information, check the Apache ODE website: http://ode.apache.org/ Apache ODE is an open source project released under a business-friendly license (Apache License v2.0), as such we welcome your help and contributions. To participate and get involved, our mailing lists are the best resources to start from: http://ode.apache.org/mailing-lists.html Thank you, The Apache ODE Team ------ CVE-2008-2370: Apache ODE information disclosure vulnerability Severity: Medium Vendor: The Apache Software Foundation Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE 2.0-beta1 and 2.0-beta2 are also affected. Description: The process deployment web service was sensible to deployment messages with forged names. Using a path for the name was allowing director= y traversal, resulting in the potential writing of files under unwanted locations (like a new WAR under a webapp deployment directory), the overwriting of existing files or their deletion. Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should obtai= n the latest source from svn or apply the patch published under http://people.apache.org/~mriou/CVE-2008-2370-patch.txt<http://people.apach= e.org/%7Emriou/CVE-2008-2370-patch.txt>. Example: Deleting a file /tmp/blabla using undeploy by sending the followin= g message to the deployment service: <?xml version=3D"1.0" encoding=3D"UTF-8"?> <soapenv:Envelope xmlns:soapenv=3D"http://schemas.xmlsoap.org/soap/envelope= /" xmlns:pmap=3D"http://www.apache.org/ode/pmapi"> <soapenv:Header/> <soapenv:Body> <pmap:undeploy> <packageName>../../../../../../../../../../../../../../tmp/blabla</packageN= ame> </pmap:undeploy> </soapenv:Body> </soapenv:Envelope> Credit: This issue was discovered by =EF=BB=BFMarc Schoenefeld of Red Hat.
Mime	Unnamed multipart/alternative (inline, None, 0 bytes) Unnamed text/plain (inline, None, 2531 bytes)
	View raw message