Vulnerability Axis2 default Administrator Password

Document ID : KB000013994
Last Modified Date : 20/03/2019
Show Technical Document Details

The Axis2 administrator 'admin' has a password that is set to the default value of 'axis2'. As a result, anyone with access to the Axis2 port can trivially gain full access to the machine via arbitrary remote code execution.


How can I change the Axis2 default password ?

Platform Independant

As a workaround, do the following: 

a. Stop the "Spectrum Tomcat Service" from Task Manager > Services (Windows) or the script in $SPECROOT/tomcat/bin (Linux/Solaris). 

b. Edit the $SPECROOT/tomcat/webapps/axis2/WEB-INF/web.xml file, and remove the content of AxisAdminServlet's servlet and servlet mapping. 

The content to remove will look like the text below: 

        <display-name>Apache-Axis AxisAdmin Servlet (Web Admin)</display-name>

This will be followed further down in the file by the following servlet-mapping section, which also needs to be removed:

c. Regarding the username/password part, we have two options : 

i. Remove the username/password part from the axis2.xml file or 
ii. Change the username and password parameters in the axis2.xml file to stronger credentials that conform to your organization's password policies. 

<parameter name="userName">admin</parameter>
<parameter name="password">axis2</parameter> 

d. Start the "Spectrum Tomcat Service". 

Additional Information:

Please reference "CVE-2010-0219" for more information on this vulnerability.