Apache ODE 1.3.3 릴리즈

Hi,

I'm pleased to announce the release of ODE 1.3.3, a security release of Apache ODE. It fixes a vulnerability in the process deployment that allowed, using a forged message, to create, overwrite or delete files on the server file system. See the full vulnerability announcement below.

Apache ODE is a WS-BPEL compliant web service orchestration engine. It organizes web services calls following a process description written in the BPEL XML grammar. Another way to describe it would be a web-service capable workflow engine.

This new release also includes new features, bug fixes and improvements See the release notes for an exhaustive list for details.

For more information, check the Apache ODE website:
http://ode.apache.org/

Apache ODE is an open source project released under a business-friendly license (Apache License v2.0), as such we welcome your help and contributions. To participate and get involved, our mailing lists are the best resources to start from:
http://ode.apache.org/mailing-lists.html

Thank you,
The Apache ODE Team

 

CVE-2008-2370: Apache ODE information disclosure vulnerability

Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE 2.0-beta1 and 2.0-beta2 are also affected.
Description: The process deployment web service was sensible to deployment messages with forged names. Using a path for the name was allowing directory traversal, resulting in the potential writing of files under unwanted locations (like a new WAR under a webapp deployment directory), the overwriting of existing files or their deletion.

Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should obtain the latest source from svn or apply the patch published under http://people.apache.org/~mriou/CVE-2008-2370-patch.txt.
Example: Deleting a file /tmp/blabla using undeploy by sending the following message to the deployment service:
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:pmap="http://www.apache.org/ode/pmapi">
  <soapenv:Header/>
  <soapenv:Body>
     <pmap:undeploy>
<packageName>../../../../../../../../../../../../../../tmp/blabla</packageName>
     </pmap:undeploy>
  </soapenv:Body>
</soapenv:Envelope>

Credit: This issue was discovered by Marc Schoenefeld of Red Hat.