Apache Axis2/Java is a SOAP and REST web services engine. It provides a message-processing pipeline with pluggable transports (HTTP/HTTPS, JMS, TCP, local), a module system for cross-cutting concerns (WS-Security via Rampart, WS-Addressing), hot-deployment of service archives (AAR/MAR), and multi-protocol serving (JSON-RPC, REST/OpenAPI, MCP) from a single service deployment. It runs inside a Jakarta Servlet container (Tomcat, Jetty, WildFly) or embedded via Spring Boot.
| Role | Trust Level | Description |
|---|---|---|
| Server Administrator | Fully trusted | Configures axis2.xml, deploys/removes modules and services, controls the servlet container. Has filesystem and JVM-level access. |
| Service Deployer | Trusted | Drops AAR archives into WEB-INF/services/. May be the same person as the administrator, or a CI pipeline. |
| Module Developer | Trusted | Builds and deploys MAR module archives that add handlers to the processing pipeline. Code executes with full JVM privileges. |
| Authenticated Client | Partially trusted | A remote caller whose identity has been verified by the servlet container, a servlet filter, or a WS-Security module (Rampart). Authorized actions depend on the application. |
| Anonymous Client | Untrusted | A remote caller with no credentials. Can reach any endpoint exposed by the HTTP transport. All input is hostile. |
WEB-INF/services/ or WEB-INF/modules/, they can deploy arbitrary code. This is an OS/container configuration issue./services/ listing. When exposeServiceMetadata is true (the default), service names are visible. This is documented behavior controllable via axis2.xml.Remote Client (untrusted input)
|
v
Servlet Container (TLS termination, optional authentication)
|
v
AxisServlet / HTTPWorker <-- HTTP entry point
|
v
MessageContext created <-- request metadata captured
|
v
Transport-In Phase <-- transport-level handlers
|
v
Dispatchers <-- route to service/operation
(URI, SOAPAction, WS-Addressing, JSON method, HTTP location)
|
v
Handler Phases <-- global + per-service handlers
(security modules like Rampart execute here)
|
v
Message Builder <-- deserialize body
(SOAP, XML, JSON, MTOM, multipart/form-data)
|
v
MessageReceiver <-- invoke service method
|
v
Response Phases + Transport-Out <-- serialize response, send
Axis2 exposes the following URL patterns from the servlet mapping:
| Pattern | Purpose | Trust Requirement |
|---|---|---|
/services/{ServiceName} | JSON-RPC and SOAP service invocation | Application-defined |
/services/{ServiceName}/{Operation} | REST-style per-operation invocation | Application-defined |
/services/{ServiceName}?wsdl | WSDL metadata retrieval | Anonymous (if exposeServiceMetadata=true) |
/services/{ServiceName}?xsd | XML Schema retrieval | Anonymous (if exposeServiceMetadata=true) |
/services/ | Service listing | Anonymous (if exposeServiceMetadata=true) |
/openapi.json | OpenAPI 3.0 schema (if OpenAPI module engaged) | Anonymous |
/swagger-ui | Swagger UI (if OpenAPI module engaged) | Anonymous |
/openapi-mcp.json | MCP tool catalog (if OpenAPI module engaged) | Anonymous |
| Component | Threats | Mitigations |
|---|---|---|
| XML parsers (AXIOM/StAX, DocumentBuilderFactory) | XXE, billion laughs, entity expansion DoS | DOCTYPE disallowed; external entities disabled; DefaultEntityResolver returns empty source |
| WSDL/XSD import resolution (wsdl4j, xmlschema-core) | XXE in imported documents; SSRF via file:///gopher:// schemes | SecureWSDLLocator pre-validates with hardened SAX parser; protocol whitelist (HTTP/HTTPS only); size limit (10MB default); connect/read timeouts; relative-path SSRF bypass blocked |
| JSON parser (Gson) | Deep nesting stack exhaustion, large payload DoS | Fuzz-tested (1.7M+ iterations); Gson nesting limits |
| JSON-RPC dispatch | Method name injection; unexpected operation invocation | Method names validated against deployed operations; unknown methods return fault |
| Multipart/file upload (commons-fileupload2) | Unbounded file count DoS (CVE-2023-24998 pattern) | Migrated from commons-fileupload 1.x to commons-fileupload2 which enforces file count limits |
| Service dispatchers | Routing to unintended service; header spoofing | Dispatchers validate service existence; unknown services return fault |
| Hot-deployment (DeploymentEngine) | Malicious AAR/MAR deploys arbitrary code | Trust boundary is filesystem access; no signature verification (admin operation) |
| Context externalization (SafeObjectInputStream) | Java deserialization gadget chains | Whitelist-based SafeObjectInputStream; restricted to known Axis2 context classes |
Metadata endpoints (?wsdl, ?xsd, /services/) | Service enumeration, schema disclosure | Controllable via exposeServiceMetadata parameter |
| MTOM/attachment handling | Large attachment DoS, temp file exhaustion | Streaming processing; TempFileManager cleanup |
?fields= query parameter (field selection, if enabled) | Reflection-based field filtering on response objects | Field names validated against declared response type; no dynamic class loading |
| Transport | Security Notes |
|---|---|
| HTTP/HTTPS | TLS handled by servlet container. No framework-level auth. Primary production transport. |
| Local (in-JVM) | No network exposure. JVM-level isolation only. |
| JMS | Authentication delegated to JMS broker. |
| TCP | Raw sockets. No encryption or authentication. Trusted networks only. |
| UDP | No encryption, no authentication, no reliability. Trusted networks only. |
| Depends on mail server authentication. |
Axis2's CVE history concentrates in three categories. The scan should weight these areas accordingly.
Clustering module (removed): A previous version of Axis2 included a clustering module for multi-node coordination using Apache Tribes. This module exposed a network listener that deserialized Java objects from untrusted network streams without validation, enabling Remote Code Execution (RCE) via standard deserialization gadget chains. Resolved by complete removal of the clustering module in 40+ files (AXIS2-6097).
Lesson: Any ObjectInputStream.readObject() on network input is a critical-severity finding. The remaining use of Java serialization in Axis2 is SafeObjectInputStream for context externalization, which uses a class whitelist.
CVE-2010-1632: DTD/XXE in MTOMBuilder flow. Fixed by strictly forbidding DOCTYPE declarations in SOAP and XML requests.
WSDL import parsing: wsdl4j 1.6.3 creates its own DocumentBuilderFactory without XXE hardening. Axis2 mitigates this with SecureWSDLLocator (pre-validates imported documents with a hardened SAX parser, rejects DOCTYPE, protocol-whitelists to HTTP/HTTPS, enforces size limits and timeouts) and hardened URI resolvers for xmlschema-core imports.
Lesson: Third-party XML libraries (wsdl4j, xmlschema-core) create their own parser factories that bypass framework-level hardening. Every XML parsing path — including transitive ones through dependency libraries — must be audited.
| CVE | Dependency | Issue | Resolution |
|---|---|---|---|
| CVE-2010-3981 | Admin console | CSRF/XSS | Fixed in 1.7.3 |
| CVE-2012-6153, CVE-2014-3577 | Apache HttpClient | Various | Updated dependency in 1.7.4 |
| CVE-2016-1000031 | commons-fileupload | RCE via DiskFileItem | Updated dependency in 1.7.6 |
| CVE-2023-24998 | commons-fileupload 1.x | Unbounded file count DoS | Migrated to commons-fileupload2 in 2.0.0 |
Lesson: Dependency-level CVEs are the most frequent class. The migration from commons-fileupload 1.x to commons-fileupload2 in 2.0.0 was specifically driven by CVE-2023-24998.
XML parsing: All DocumentBuilderFactory and SAXParserFactory instances created by the framework disable DTDs and external entities (XMLUtils.java, SecureWSDLLocator.java, DefaultEntityResolver.java).
WSDL import security: SecureWSDLLocator pre-parses imported documents before passing them to wsdl4j. Protocol-restricted to HTTP/HTTPS. Size-limited. Timeout-protected. Relative-path SSRF bypass patched.
Schema import security: URI resolvers for AAR and WAR deployments block HTTP/HTTPS/FTP/JAR/file scheme resolution to prevent SSRF via xmlschema-core's DefaultURIResolver.
Deserialization whitelist: SafeObjectInputStream restricts Java object deserialization to known Axis2 context classes.
Clustering removed: The entire clustering module (Tribes-based inter-node communication with unvalidated deserialization) has been removed from the codebase.
File upload limits: Migration to commons-fileupload2 enforces file count limits, preventing CVE-2023-24998-style DoS.
Fault detail suppression: sendStacktraceDetailsWithFaults defaults to false.
Fuzz testing: Jazzer-based fuzzers cover XML, JSON, HTTP header, and URL parsers. 45M+ iterations with zero crashes or security findings. See src/site/xdoc/docs/OSS-FUZZ.md. Axis2/C has an active OSS-Fuzz integration.
Report vulnerabilities to: security@apache.org
Follow the Apache Security Policy. All confirmed issues go through coordinated disclosure with CVE assignment.