Apache Axis 1.x ServiceFactory RCE via Untrusted LDAP Lookup
CVE-2023-40743 Published on September 5, 2023

Apache Axis 1.x (EOL) may allow RCE when untrusted input is passed to getService
** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to "ServiceFactory.getService", or by applying the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2023-40743 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

What is a Special Element Injection Vulnerability?

The software does not adequately filter user-controlled input for special elements with control implications.

CVE-2023-40743 has been classified to as a Special Element Injection vulnerability or weakness.


Products Associated with CVE-2023-40743

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-40743 are published in these products:

Apache Axis
 
Canonical Ubuntu Linux
 
Oracle
 

Affected Versions

Apache Software Foundation Apache Axis: apache axis:

Exploit Probability

EPSS
1.11%
Percentile
77.82%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.