blob: 902762f0d62de1218b7fccab57e12fa00aa704f1 [file] [view]
# Security Threat Model — Apache Axis2/Java
## Project Description
Apache Axis2/Java is a SOAP and REST web services engine. It provides a
message-processing pipeline with pluggable transports (HTTP/HTTPS, JMS, TCP,
local), a module system for cross-cutting concerns (WS-Security via Rampart,
WS-Addressing), hot-deployment of service archives (AAR/MAR), and
multi-protocol serving (JSON-RPC, REST/OpenAPI, MCP) from a single service
deployment. It runs inside a Jakarta Servlet container (Tomcat, Jetty,
WildFly) or embedded via Spring Boot.
## Roles and Trust Levels
| Role | Trust Level | Description |
|------|-------------|-------------|
| **Server Administrator** | Fully trusted | Configures `axis2.xml`, deploys/removes modules and services, controls the servlet container. Has filesystem and JVM-level access. |
| **Service Deployer** | Trusted | Drops AAR archives into `WEB-INF/services/`. May be the same person as the administrator, or a CI pipeline. |
| **Module Developer** | Trusted | Builds and deploys MAR module archives that add handlers to the processing pipeline. Code executes with full JVM privileges. |
| **Authenticated Client** | Partially trusted | A remote caller whose identity has been verified by the servlet container, a servlet filter, or a WS-Security module (Rampart). Authorized actions depend on the application. |
| **Anonymous Client** | Untrusted | A remote caller with no credentials. Can reach any endpoint exposed by the HTTP transport. All input is hostile. |
## Security Boundaries
### What IS a security issue
- **Remote Code Execution (RCE)** via the Axis2 framework itself — not
through user-written service logic.
- **XML External Entity (XXE) injection** — the framework's XML parsers
resolve external entities or allow DOCTYPE declarations from untrusted
input, enabling file read, SSRF, or denial of service.
- **Server-Side Request Forgery (SSRF)** — an attacker causes the server
to make requests to arbitrary internal or external hosts through framework
features such as WSDL/XSD import resolution, endpoint references, or
transport senders.
- **Deserialization of untrusted data** — framework-level Java object
deserialization that can be triggered by remote input without a class
whitelist. This was historically the most severe class of vulnerability
in Axis2 (see CVE history below).
- **Denial of Service via parser abuse** — billion-laughs XML bombs, deeply
nested JSON, or other input that causes unbounded memory or CPU
consumption inside framework-level parsers.
- **Authentication or authorization bypass** — a flaw in the handler/phase
pipeline that allows a message to skip an engaged security module.
- **Information disclosure of server internals** — stack traces, class
names, or configuration details leaked to unauthenticated callers through
fault messages or metadata endpoints when exposure has been disabled.
- **Path traversal** — a crafted service name, URI component, or WSDL
import location that allows reading or writing files outside expected
directories.
- **Multipart/file upload abuse** — unbounded file counts or sizes via
multipart form data that exhaust server resources.
### What is NOT a security issue
- **Vulnerabilities in user-written services.** SQL injection, broken
access control, or insecure business logic in a deployed service are the
service author's responsibility.
- **Missing authentication on endpoints.** Axis2 does not ship built-in
authentication. Securing endpoints is the responsibility of the servlet
container, servlet filters, or engaged security modules (Rampart).
- **Hot-deployment with weak filesystem permissions.** If an attacker has
write access to `WEB-INF/services/` or `WEB-INF/modules/`, they can
deploy arbitrary code. This is an OS/container configuration issue.
- **Service enumeration via `/services/` listing.** When
`exposeServiceMetadata` is `true` (the default), service names are
visible. This is documented behavior controllable via `axis2.xml`.
- **Denial of service at the network level.** SYN floods, slowloris, or
transport-layer attacks are mitigated by the servlet container, not Axis2.
- **Vulnerabilities *within* optional, external modules.** For example,
a flaw in Rampart's cryptographic implementation would be handled by
the Rampart project. However, a flaw in Axis2's handler pipeline that
allows the Rampart module to be bypassed *is* a vulnerability in Axis2.
## Architecture and Attack Surface
### Message Processing Pipeline
```
Remote Client (untrusted input)
|
v
Servlet Container (TLS termination, optional authentication)
|
v
AxisServlet / HTTPWorker <-- HTTP entry point
|
v
MessageContext created <-- request metadata captured
|
v
Transport-In Phase <-- transport-level handlers
|
v
Dispatchers <-- route to service/operation
(URI, SOAPAction, WS-Addressing, JSON method, HTTP location)
|
v
Handler Phases <-- global + per-service handlers
(security modules like Rampart execute here)
|
v
Message Builder <-- deserialize body
(SOAP, XML, JSON, MTOM, multipart/form-data)
|
v
MessageReceiver <-- invoke service method
|
v
Response Phases + Transport-Out <-- serialize response, send
```
### URL Patterns
Axis2 exposes the following URL patterns from the servlet mapping:
| Pattern | Purpose | Trust Requirement |
|---------|---------|-------------------|
| `/services/{ServiceName}` | JSON-RPC and SOAP service invocation | Application-defined |
| `/services/{ServiceName}/{Operation}` | REST-style per-operation invocation | Application-defined |
| `/services/{ServiceName}?wsdl` | WSDL metadata retrieval | Anonymous (if `exposeServiceMetadata=true`) |
| `/services/{ServiceName}?xsd` | XML Schema retrieval | Anonymous (if `exposeServiceMetadata=true`) |
| `/services/` | Service listing | Anonymous (if `exposeServiceMetadata=true`) |
| `/openapi.json` | OpenAPI 3.0 schema (if OpenAPI module engaged) | Anonymous |
| `/swagger-ui` | Swagger UI (if OpenAPI module engaged) | Anonymous |
| `/openapi-mcp.json` | MCP tool catalog (if OpenAPI module engaged) | Anonymous |
### Attack Surface by Component
| Component | Threats | Mitigations |
|-----------|---------|-------------|
| **XML parsers** (AXIOM/StAX, DocumentBuilderFactory) | XXE, billion laughs, entity expansion DoS | DOCTYPE disallowed; external entities disabled; `DefaultEntityResolver` returns empty source |
| **WSDL/XSD import resolution** (wsdl4j, xmlschema-core) | XXE in imported documents; SSRF via `file://`/`gopher://` schemes | `SecureWSDLLocator` pre-validates with hardened SAX parser; protocol whitelist (HTTP/HTTPS only); size limit (10MB default); connect/read timeouts; relative-path SSRF bypass blocked |
| **JSON parser** (Gson) | Deep nesting stack exhaustion, large payload DoS | Fuzz-tested (1.7M+ iterations); Gson nesting limits |
| **JSON-RPC dispatch** | Method name injection; unexpected operation invocation | Method names validated against deployed operations; unknown methods return fault |
| **Multipart/file upload** (commons-fileupload2) | Unbounded file count DoS (CVE-2023-24998 pattern) | Migrated from commons-fileupload 1.x to commons-fileupload2 which enforces file count limits |
| **Service dispatchers** | Routing to unintended service; header spoofing | Dispatchers validate service existence; unknown services return fault |
| **Hot-deployment** (DeploymentEngine) | Malicious AAR/MAR deploys arbitrary code | Trust boundary is filesystem access; no signature verification (admin operation) |
| **Context externalization** (SafeObjectInputStream) | Java deserialization gadget chains | Whitelist-based `SafeObjectInputStream`; restricted to known Axis2 context classes |
| **Metadata endpoints** (`?wsdl`, `?xsd`, `/services/`) | Service enumeration, schema disclosure | Controllable via `exposeServiceMetadata` parameter |
| **MTOM/attachment handling** | Large attachment DoS, temp file exhaustion | Streaming processing; `TempFileManager` cleanup |
| **`?fields=` query parameter** (field selection, if enabled) | Reflection-based field filtering on response objects | Field names validated against declared response type; no dynamic class loading |
### Transports
| Transport | Security Notes |
|-----------|----------------|
| HTTP/HTTPS | TLS handled by servlet container. No framework-level auth. Primary production transport. |
| Local (in-JVM) | No network exposure. JVM-level isolation only. |
| JMS | Authentication delegated to JMS broker. |
| TCP | Raw sockets. No encryption or authentication. Trusted networks only. |
| UDP | No encryption, no authentication, no reliability. Trusted networks only. |
| Mail | Depends on mail server authentication. |
## CVE History and Lessons Learned
Axis2's CVE history concentrates in three categories. The scan should
weight these areas accordingly.
### 1. Deserialization of Untrusted Data (most severe)
**Clustering module (removed):**
A previous version of Axis2 included a clustering module for multi-node
coordination using Apache Tribes. This module exposed a network listener
that deserialized Java objects from untrusted network streams without
validation, enabling Remote Code Execution (RCE) via standard
deserialization gadget chains. Resolved by complete removal of the
clustering module in 40+ files
([AXIS2-6097](https://issues.apache.org/jira/browse/AXIS2-6097)).
**Lesson:** Any `ObjectInputStream.readObject()` on network input is a
critical-severity finding. The remaining use of Java serialization in
Axis2 is `SafeObjectInputStream` for context externalization, which uses
a class whitelist.
### 2. XML Parsing (XXE/SSRF)
**CVE-2010-1632:** DTD/XXE in MTOMBuilder flow. Fixed by strictly
forbidding DOCTYPE declarations in SOAP and XML requests.
**WSDL import parsing:** wsdl4j 1.6.3 creates its own
`DocumentBuilderFactory` without XXE hardening. Axis2 mitigates this
with `SecureWSDLLocator` (pre-validates imported documents with a
hardened SAX parser, rejects DOCTYPE, protocol-whitelists to HTTP/HTTPS,
enforces size limits and timeouts) and hardened URI resolvers for
xmlschema-core imports.
**Lesson:** Third-party XML libraries (wsdl4j, xmlschema-core) create
their own parser factories that bypass framework-level hardening. Every
XML parsing path — including transitive ones through dependency
libraries — must be audited.
### 3. Dependency Vulnerabilities
| CVE | Dependency | Issue | Resolution |
|-----|-----------|-------|------------|
| CVE-2010-3981 | Admin console | CSRF/XSS | Fixed in 1.7.3 |
| CVE-2012-6153, CVE-2014-3577 | Apache HttpClient | Various | Updated dependency in 1.7.4 |
| CVE-2016-1000031 | commons-fileupload | RCE via DiskFileItem | Updated dependency in 1.7.6 |
| CVE-2023-24998 | commons-fileupload 1.x | Unbounded file count DoS | Migrated to commons-fileupload2 in 2.0.0 |
**Lesson:** Dependency-level CVEs are the most frequent class. The
migration from `commons-fileupload` 1.x to `commons-fileupload2` in
2.0.0 was specifically driven by CVE-2023-24998.
## Existing Security Hardening
1. **XML parsing:** All `DocumentBuilderFactory` and `SAXParserFactory`
instances created by the framework disable DTDs and external entities
(`XMLUtils.java`, `SecureWSDLLocator.java`, `DefaultEntityResolver.java`).
2. **WSDL import security:** `SecureWSDLLocator` pre-parses imported
documents before passing them to wsdl4j. Protocol-restricted to
HTTP/HTTPS. Size-limited. Timeout-protected. Relative-path SSRF
bypass patched.
3. **Schema import security:** URI resolvers for AAR and WAR deployments
block HTTP/HTTPS/FTP/JAR/file scheme resolution to prevent SSRF via
xmlschema-core's `DefaultURIResolver`.
4. **Deserialization whitelist:** `SafeObjectInputStream` restricts Java
object deserialization to known Axis2 context classes.
5. **Clustering removed:** The entire clustering module (Tribes-based
inter-node communication with unvalidated deserialization) has been
removed from the codebase.
6. **File upload limits:** Migration to commons-fileupload2 enforces
file count limits, preventing CVE-2023-24998-style DoS.
7. **Fault detail suppression:** `sendStacktraceDetailsWithFaults`
defaults to `false`.
8. **Fuzz testing:** Jazzer-based fuzzers cover XML, JSON, HTTP header,
and URL parsers. 45M+ iterations with zero crashes or security
findings. See `src/site/xdoc/docs/OSS-FUZZ.md`. Axis2/C has an
active OSS-Fuzz integration.
## Reporting Security Issues
Report vulnerabilities to: **security@apache.org**
Follow the [Apache Security Policy](https://www.apache.org/security/).
All confirmed issues go through coordinated disclosure with CVE assignment.