CVE-2022-44784

Name of the Vulnerable Software and Affected Versions Appalti & Contratti version 9.12.2

Description An issue was discovered in the target web applications LFS and DL229, which expose a set of services provided by the Axis 1.4 instance. The Axis AdminService, normally accessible only by localhost, can be reached by remote users, allowing creation of arbitrary services on the server side. When an attacker can reach the AdminService, they can use it to instantiate arbitrary services on the server. The exploit procedure involves writing a JSP page inside the root directory of the web application through the org.apache.axis.handlers.LogHandler class.

Recommendations For Appalti & Contratti version 9.12.2, consider disabling the Axis AdminService to prevent remote access and instantiation of arbitrary services on the server. As a temporary workaround, restrict access to the org.apache.axis.handlers.LogHandler class to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.