CVE-2010-1632

Name of the Vulnerable Software and Affected Versions Apache Axis2 versions prior to 1.5.2 IBM WebSphere Application Server (WAS) versions 7.0 through 7.0.0.12 IBM Feature Pack for Web Services versions 6.1.0.9 through 6.1.0.32 IBM Feature Pack for Web 2.0 version 1.0.1.0 Apache Synapse (affected versions not specified) Apache ODE (affected versions not specified) Apache Tuscany (affected versions not specified) Apache Geronimo (affected versions not specified)

Description The issue allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD in SOAP messages. This is demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService.

Recommendations For Apache Axis2 versions prior to 1.5.2, update to version 1.5.2 or later. For IBM WebSphere Application Server (WAS) versions 7.0 through 7.0.0.12, consider upgrading to a version outside the affected range. For IBM Feature Pack for Web Services versions 6.1.0.9 through 6.1.0.32, consider upgrading to a version outside the affected range. For IBM Feature Pack for Web 2.0 version 1.0.1.0, consider upgrading to a version outside the affected range. For Apache Synapse, Apache ODE, Apache Tuscany, and Apache Geronimo, at the moment, there is no information about a newer version that contains a fix for this vulnerability.