www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthieu Riou <mr...@apache.org>
Subject [ANNOUNCE] Apache ODE 1.3.3
Date Sat, 08 Aug 2009 04:41:03 GMT

I'm pleased to announce the release of ODE 1.3.3, a security release of
Apache ODE. It fixes a vulnerability in the process deployment that allowed,
using a forged message, to create, overwrite or delete files on the server
file system. See the full vulnerability announcement below.

Apache ODE is a WS-BPEL compliant web service orchestration engine. It
organizes web services calls following a process description written in the
BPEL XML grammar. Another way to describe it would be a web-service capable
workflow engine.

This new release also includes new features, bug fixes and improvements See
the release notes for an exhaustive list for

For more information, check the Apache ODE website:

Apache ODE is an open source project released under a business-friendly
license (Apache License v2.0), as such we welcome your help and
contributions. To participate and get involved, our mailing lists are the
best resources to start from:

Thank you,
The Apache ODE Team


CVE-2008-2370: Apache ODE information disclosure vulnerability

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE
2.0-beta1 and 2.0-beta2 are also affected.

Description: The process deployment web service was sensible to deployment
messages with forged names. Using a path for the name was allowing directory
traversal, resulting in the potential writing of files under unwanted
locations (like a new WAR under a webapp deployment directory), the
overwriting of existing files or their deletion.

Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should obtain
the latest source from svn or apply the patch published under

Example: Deleting a file /tmp/blabla using undeploy by sending the following
message to the deployment service:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
Credit: This issue was discovered by ´╗┐Marc Schoenefeld of Red Hat.

View raw message