Title: Security Advisories
VERSION: older than 3.3.10
PROBLEMTYPE: Remote Code Execution
REFERENCES: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37578
DESCRIPTION: Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services.
RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malicious serialized object to the above RMI entries. The objects get deserialized without any check on the incoming data. In the worst case, it may let the attacker run arbitrary code remotely.
For both jUDDI web service applications and jUDDI clients, the usage of RMI is disabled by default. Since this is an optional feature and an extension to the UDDI protocol, the likelihood of impact is low. Starting with 3.3.10, all RMI related code was removed.
Severity: Low
Mitigation:
jUDDI Clients, disable RMITransports (found in uddi.xml) and use alternate transports such as HTTPS. jUDDI Server (juddiv3.war/WEB-INF/classes/juddiv3.xml), disable JNDI and RMI settings in juddiv3.xml. The appropriate settings are located below in xpath style notation.
juddi/jndi/registration=false juddi/rmi/registration=false
If the settings are not present, then JNDI and RMI are already disabled. This is the default setting.
Credit:
Artem Smotrakov
VERSION: 3.2 through 3.3.4
PROBLEMTYPE: XML Entity Expansion
REFERENCES: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4267
DISCRIPTION: If using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. This was fixed with https://issues.apache.org/jira/browse/JUDDI-987
Severity: Moderate
Mitigation:
Update your juddi-client dependencies to 3.3.5 or newer and/or discontinue use of the effected classes.
VERSION: 3.0.0
PROBLEMTYPE: Information Disclosure
REFERENCES: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4267
DISCRIPTION: The jUDDI console doesn't escape line feeds that were passed in the numRows parameter. This affects log integrity, as this allows authenticated users to forge log records.
Severity: Moderate
Mitigation:
3.0.0 users should upgrade to jUDDI 3.0.1 or newer
Credit:
This issue was discovered by Marc Schoenefeld of Red Hat Software.
VERSION: 3.1.2, 3.1.3, 3.1.4, and 3.1.5 that utilize the portlets based user interface also known as ‘Pluto’, ‘jUDDI Portal’, ‘UDDI Portal’ or ‘uddi-console’
PROBLEMTYPE: Open Redirect
REFERENCES: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-5241
DESCRIPTION: After logging into the portal, the logout jsp page redirects the browser back to the login page after. It is feasible for malicious user to redirect the browser to an unintended web page. User session data, credentials, and auth tokens are cleared before the redirect.
Mitigations:
"String redirectURL = (String) request.getParameter("urlredirect");
if (redirectURL==null) redirectURL = "/pluto/Logout";
with this text
String redirectURL = "/pluto/Logout";
No patches or releases are planned for the affected versions since jUDDI v3.2 replaced the user interface.