CVE-2019-0227

Apache Axis 1.4 - Remote Code Execution

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.

Una vulnerabilidad de tipo SSRF (Server Side Request Forgery) afectó a la distribución de Apache Axis 1.4 que fue lanzada por última vez en 2006. La seguridad y las confirmaciones de errores continúan en el repositorio de Subversion de Axis 1.x, se anima a los usuarios a construir desde el código fuente. El sucesor de Axis 1.x es Axis2, la última versión es 1.7.9 y no es vulnerable a este problema.

Apache Axis version 1.4 suffers from a remote code execution vulnerability.

*Credits: N/A

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Adjacent

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-11-14 CVE Reserved
2019-04-09 First Exploit
2019-04-10 CVE Published
2024-08-04 CVE Updated
2024-08-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-918: Server-Side Request Forgery (SSRF)

CAPEC

References (14)

URL	Tag	Source
https://lists.apache.org/thread.html/r3a5baf5d76f1f2181be7f54da3deab70d7a38b5660b387583d05a8cd%40%3Cjava-user.axis.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E	Mailing List
https://security.netapp.com/advisory/ntap-20240621-0006
https://www.oracle.com/security-alerts/cpujul2022.html

URL	Date	SRC
https://www.exploit-db.com/exploits/46682	2019-04-09
https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis	2024-08-04

URL	Date	SRC
https://www.oracle.com/security-alerts/cpuApr2021.html	2024-06-21
https://www.oracle.com/security-alerts/cpuapr2020.html	2024-06-21
https://www.oracle.com/security-alerts/cpuapr2022.html	2024-06-21
https://www.oracle.com/security-alerts/cpujan2020.html	2024-06-21
https://www.oracle.com/security-alerts/cpujan2021.html	2024-06-21
https://www.oracle.com/security-alerts/cpujul2020.html	2024-06-21
https://www.oracle.com/security-alerts/cpuoct2021.html	2024-06-21
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	2024-06-21

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Axis Search vendor "Apache" for product "Axis"				1.4 Search vendor "Apache" for product "Axis" and version "1.4"		-		Affected
Oracle Search vendor "Oracle"		Agile Engineering Data Management Search vendor "Oracle" for product "Agile Engineering Data Management"				6.2.1.0 Search vendor "Oracle" for product "Agile Engineering Data Management" and version "6.2.1.0"		-		Affected
Oracle Search vendor "Oracle"		Agile Product Lifecycle Management Framework Search vendor "Oracle" for product "Agile Product Lifecycle Management Framework"				9.3.3 Search vendor "Oracle" for product "Agile Product Lifecycle Management Framework" and version "9.3.3"		-		Affected
Oracle Search vendor "Oracle"		Application Testing Suite Search vendor "Oracle" for product "Application Testing Suite"				13.2.0.1 Search vendor "Oracle" for product "Application Testing Suite" and version "13.2.0.1"		-		Affected
Oracle Search vendor "Oracle"		Application Testing Suite Search vendor "Oracle" for product "Application Testing Suite"				13.3.0.1 Search vendor "Oracle" for product "Application Testing Suite" and version "13.3.0.1"		-		Affected
Oracle Search vendor "Oracle"		Big Data Discovery Search vendor "Oracle" for product "Big Data Discovery"				1.6 Search vendor "Oracle" for product "Big Data Discovery" and version "1.6"		-		Affected
Oracle Search vendor "Oracle"		Communications Asap Cartridges Search vendor "Oracle" for product "Communications Asap Cartridges"				7.2 Search vendor "Oracle" for product "Communications Asap Cartridges" and version "7.2"		-		Affected
Oracle Search vendor "Oracle"		Communications Asap Cartridges Search vendor "Oracle" for product "Communications Asap Cartridges"				7.3 Search vendor "Oracle" for product "Communications Asap Cartridges" and version "7.3"		-		Affected
Oracle Search vendor "Oracle"		Communications Design Studio Search vendor "Oracle" for product "Communications Design Studio"				7.3.4.3.0 Search vendor "Oracle" for product "Communications Design Studio" and version "7.3.4.3.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Design Studio Search vendor "Oracle" for product "Communications Design Studio"				7.3.5.5.0 Search vendor "Oracle" for product "Communications Design Studio" and version "7.3.5.5.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Design Studio Search vendor "Oracle" for product "Communications Design Studio"				7.4.0.4.0 Search vendor "Oracle" for product "Communications Design Studio" and version "7.4.0.4.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Design Studio Search vendor "Oracle" for product "Communications Design Studio"				7.4.1.1.0 Search vendor "Oracle" for product "Communications Design Studio" and version "7.4.1.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager"				8.0.0 Search vendor "Oracle" for product "Communications Element Manager" and version "8.0.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager"				8.1.0 Search vendor "Oracle" for product "Communications Element Manager" and version "8.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager"				8.1.1 Search vendor "Oracle" for product "Communications Element Manager" and version "8.1.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager"				8.2.0 Search vendor "Oracle" for product "Communications Element Manager" and version "8.2.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Network Integrity Search vendor "Oracle" for product "Communications Network Integrity"				7.3.5 Search vendor "Oracle" for product "Communications Network Integrity" and version "7.3.5"		-		Affected
Oracle Search vendor "Oracle"		Communications Network Integrity Search vendor "Oracle" for product "Communications Network Integrity"				7.3.6 Search vendor "Oracle" for product "Communications Network Integrity" and version "7.3.6"		-		Affected
Oracle Search vendor "Oracle"		Communications Order And Service Management Search vendor "Oracle" for product "Communications Order And Service Management"				7.3.0.0.0 Search vendor "Oracle" for product "Communications Order And Service Management" and version "7.3.0.0.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Order And Service Management Search vendor "Oracle" for product "Communications Order And Service Management"				7.4 Search vendor "Oracle" for product "Communications Order And Service Management" and version "7.4"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager"				8.0.0 Search vendor "Oracle" for product "Communications Session Report Manager" and version "8.0.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager"				8.1.0 Search vendor "Oracle" for product "Communications Session Report Manager" and version "8.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager"				8.1.1 Search vendor "Oracle" for product "Communications Session Report Manager" and version "8.1.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager"				8.2.0 Search vendor "Oracle" for product "Communications Session Report Manager" and version "8.2.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager"				8.0.0 Search vendor "Oracle" for product "Communications Session Route Manager" and version "8.0.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager"				8.1.0 Search vendor "Oracle" for product "Communications Session Route Manager" and version "8.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager"				8.1.1 Search vendor "Oracle" for product "Communications Session Route Manager" and version "8.1.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager"				8.2.0 Search vendor "Oracle" for product "Communications Session Route Manager" and version "8.2.0"		-		Affected
Oracle Search vendor "Oracle"		Endeca Information Discovery Studio Search vendor "Oracle" for product "Endeca Information Discovery Studio"				3.2.0 Search vendor "Oracle" for product "Endeca Information Discovery Studio" and version "3.2.0"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform"				12.1.0.5 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "12.1.0.5"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform"				13.3.0.0 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.3.0.0"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager For Fusion Middleware Search vendor "Oracle" for product "Enterprise Manager For Fusion Middleware"				12.1.0.5 Search vendor "Oracle" for product "Enterprise Manager For Fusion Middleware" and version "12.1.0.5"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				>= 7.3.3 <= 7.3.5 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version " >= 7.3.3 <= 7.3.5"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				>= 8.0.0 <= 8.0.8 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version " >= 8.0.0 <= 8.0.8"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Compliance Regulatory Reporting Search vendor "Oracle" for product "Financial Services Compliance Regulatory Reporting"				>= 8.0.6 <= 8.0.8 Search vendor "Oracle" for product "Financial Services Compliance Regulatory Reporting" and version " >= 8.0.6 <= 8.0.8"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Funds Transfer Pricing Search vendor "Oracle" for product "Financial Services Funds Transfer Pricing"				>= 8.0.2 <= 8.0.7 Search vendor "Oracle" for product "Financial Services Funds Transfer Pricing" and version " >= 8.0.2 <= 8.0.7"		-		Affected
Oracle Search vendor "Oracle"		Flexcube Core Banking Search vendor "Oracle" for product "Flexcube Core Banking"				11.7.0 Search vendor "Oracle" for product "Flexcube Core Banking" and version "11.7.0"		-		Affected
Oracle Search vendor "Oracle"		Flexcube Core Banking Search vendor "Oracle" for product "Flexcube Core Banking"				11.8.0 Search vendor "Oracle" for product "Flexcube Core Banking" and version "11.8.0"		-		Affected
Oracle Search vendor "Oracle"		Flexcube Core Banking Search vendor "Oracle" for product "Flexcube Core Banking"				11.9.0 Search vendor "Oracle" for product "Flexcube Core Banking" and version "11.9.0"		-		Affected
Oracle Search vendor "Oracle"		Flexcube Core Banking Search vendor "Oracle" for product "Flexcube Core Banking"				11.10.0 Search vendor "Oracle" for product "Flexcube Core Banking" and version "11.10.0"		-		Affected
Oracle Search vendor "Oracle"		Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking"				12.0.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.0.0"		-		Affected
Oracle Search vendor "Oracle"		Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking"				12.1.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.1.0"		-		Affected
Oracle Search vendor "Oracle"		Hospitality Guest Access Search vendor "Oracle" for product "Hospitality Guest Access"				4.2.0 Search vendor "Oracle" for product "Hospitality Guest Access" and version "4.2.0"		-		Affected
Oracle Search vendor "Oracle"		Hospitality Guest Access Search vendor "Oracle" for product "Hospitality Guest Access"				4.2.1 Search vendor "Oracle" for product "Hospitality Guest Access" and version "4.2.1"		-		Affected
Oracle Search vendor "Oracle"		Instantis Enterprisetrack Search vendor "Oracle" for product "Instantis Enterprisetrack"				17.1 Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.1"		-		Affected
Oracle Search vendor "Oracle"		Instantis Enterprisetrack Search vendor "Oracle" for product "Instantis Enterprisetrack"				17.2 Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.2"		-		Affected
Oracle Search vendor "Oracle"		Instantis Enterprisetrack Search vendor "Oracle" for product "Instantis Enterprisetrack"				17.3 Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.3"		-		Affected
Oracle Search vendor "Oracle"		Internet Directory Search vendor "Oracle" for product "Internet Directory"				12.2.1.3.0 Search vendor "Oracle" for product "Internet Directory" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Internet Directory Search vendor "Oracle" for product "Internet Directory"				12.2.1.4.0 Search vendor "Oracle" for product "Internet Directory" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Knowledge Search vendor "Oracle" for product "Knowledge"				>= 8.6.0 <= 8.6.3 Search vendor "Oracle" for product "Knowledge" and version " >= 8.6.0 <= 8.6.3"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Human Capital Management Human Resources Search vendor "Oracle" for product "Peoplesoft Enterprise Human Capital Management Human Resources"				7.3.5 Search vendor "Oracle" for product "Peoplesoft Enterprise Human Capital Management Human Resources" and version "7.3.5"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Human Capital Management Human Resources Search vendor "Oracle" for product "Peoplesoft Enterprise Human Capital Management Human Resources"				7.3.6 Search vendor "Oracle" for product "Peoplesoft Enterprise Human Capital Management Human Resources" and version "7.3.6"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Human Capital Management Human Resources Search vendor "Oracle" for product "Peoplesoft Enterprise Human Capital Management Human Resources"				9.2 Search vendor "Oracle" for product "Peoplesoft Enterprise Human Capital Management Human Resources" and version "9.2"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.56 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.56"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.57 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.57"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.58 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"		-		Affected
Oracle Search vendor "Oracle"		Policy Automation Connector For Siebel Search vendor "Oracle" for product "Policy Automation Connector For Siebel"				10.4.6 Search vendor "Oracle" for product "Policy Automation Connector For Siebel" and version "10.4.6"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				16.2.11 Search vendor "Oracle" for product "Primavera Gateway" and version "16.2.11"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				17.12.6 Search vendor "Oracle" for product "Primavera Gateway" and version "17.12.6"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				>= 17.7 <= 17.12 Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.7 <= 17.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				16.1 Search vendor "Oracle" for product "Primavera Unifier" and version "16.1"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				16.2 Search vendor "Oracle" for product "Primavera Unifier" and version "16.2"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				18.8 Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				19.12 Search vendor "Oracle" for product "Primavera Unifier" and version "19.12"		-		Affected
Oracle Search vendor "Oracle"		Rapid Planning Search vendor "Oracle" for product "Rapid Planning"				12.1 Search vendor "Oracle" for product "Rapid Planning" and version "12.1"		-		Affected
Oracle Search vendor "Oracle"		Rapid Planning Search vendor "Oracle" for product "Rapid Planning"				12.2 Search vendor "Oracle" for product "Rapid Planning" and version "12.2"		-		Affected
Oracle Search vendor "Oracle"		Real-time Decision Server Search vendor "Oracle" for product "Real-time Decision Server"				3.2.1.0 Search vendor "Oracle" for product "Real-time Decision Server" and version "3.2.1.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Order Broker Search vendor "Oracle" for product "Retail Order Broker"				15.0 Search vendor "Oracle" for product "Retail Order Broker" and version "15.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Order Broker Search vendor "Oracle" for product "Retail Order Broker"				16.0 Search vendor "Oracle" for product "Retail Order Broker" and version "16.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Order Broker Search vendor "Oracle" for product "Retail Order Broker"				18.0 Search vendor "Oracle" for product "Retail Order Broker" and version "18.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				7.1 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "7.1"		-		Affected
Oracle Search vendor "Oracle"		Secure Global Desktop Search vendor "Oracle" for product "Secure Global Desktop"				5.4 Search vendor "Oracle" for product "Secure Global Desktop" and version "5.4"		-		Affected
Oracle Search vendor "Oracle"		Secure Global Desktop Search vendor "Oracle" for product "Secure Global Desktop"				5.5 Search vendor "Oracle" for product "Secure Global Desktop" and version "5.5"		-		Affected
Oracle Search vendor "Oracle"		Siebel Ui Framework Search vendor "Oracle" for product "Siebel Ui Framework"				<= 21.0 Search vendor "Oracle" for product "Siebel Ui Framework" and version " <= 21.0"		-		Affected
Oracle Search vendor "Oracle"		Tuxedo Search vendor "Oracle" for product "Tuxedo"				12.1.1.0.0 Search vendor "Oracle" for product "Tuxedo" and version "12.1.1.0.0"		-		Affected
Oracle Search vendor "Oracle"		Tuxedo Search vendor "Oracle" for product "Tuxedo"				12.1.3 Search vendor "Oracle" for product "Tuxedo" and version "12.1.3"		-		Affected
Oracle Search vendor "Oracle"		Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal"				12.2.1.3.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.3.0"		-		Affected