아파치 소프트웨어 재단은 아파치 오픈 소스 소프트웨어 프로젝트 커뮤니티 지원을 제공합니다.
아파치 프로젝트는 협업과 개발 프로세스를 기반으로 하는 상호간의 공감대와 개방되어 있는 실용적인 소프트웨어 라이센스, 그 분야에서 선두를 달릴 수 있는 고품질 소프트웨어 개발을 추구하고 있습니다.
우리는 심플한 서버 공유 프로젝트의 모임이라고도 하지만 오히려 개발자와 사용자간의 커뮤니티라고 생각합니다.
I'm pleased to announce the release of ODE 1.3.3, a security release of Apache ODE. It fixes a vulnerability in the process deployment that allowed, using a forged message, to create, overwrite or delete files on the server file system. See the full vulnerability announcement below.
Apache ODE is a WS-BPEL compliant web service orchestration engine. It organizes web services calls following a process description written in the BPEL XML grammar. Another way to describe it would be a web-service capable workflow engine.
This new release also includes new features, bug fixes and improvements See the release notes for an exhaustive list for details.
Apache ODE is an open source project released under a business-friendly license (Apache License v2.0), as such we welcome your help and contributions. To participate and get involved, our mailing lists are the best resources to start from: http://ode.apache.org/mailing-lists.html
Thank you,
The Apache ODE Team
CVE-2008-2370: Apache ODE information disclosure vulnerability
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE 2.0-beta1 and 2.0-beta2 are also affected.
Description: The process deployment web service was sensible to deployment messages with forged names. Using a path for the name was allowing directory traversal, resulting in the potential writing of files under unwanted locations (like a new WAR under a webapp deployment directory), the overwriting of existing files or their deletion.
Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should obtain the latest source from svn or apply the patch published under http://people.apache.org/~mriou/CVE-2008-2370-patch.txt.
Example: Deleting a file /tmp/blabla using undeploy by sending the following message to the deployment service:
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:pmap="http://www.apache.org/ode/pmapi">
<soapenv:Header/>
<soapenv:Body>
<pmap:undeploy>
<packageName>../../../../../../../../../../../../../../tmp/blabla</packageName>
</pmap:undeploy>
</soapenv:Body>
</soapenv:Envelope>
Credit: This issue was discovered by Marc Schoenefeld of Red Hat.
Apache ODE는 비즈니스-프렌들리 라이센스(Apache License v2.0)하에서 릴리즈된 오픈소스 프로젝트입니다. 우리 모두가 여러분의 도움과 기여를 환영하고 있으며, 참여를 위해서는 메일링 리스트를 통해 하실 수 있습니다. http://ode.apache.org/mailing-lists.html