Vulnerability Axis2 default Administrator Password

Document ID : KB000013994
Last Modified Date : 04/10/2018
Show Technical Document Details
Introduction:

The Axis2 administrator 'admin' has a password that is set to the default value of 'axis2'. As a result, anyone with access to the Axis2 port can trivially gain full access to the machine via arbitrary remote code execution.

Question:

How can I change the Axis2 default password ?

Environment:
Platform Independant
Answer:

As a workaround, do the following: 

a. Stop the "Spectrum Tomcat Service" from Task Manager > Services (Windows) or the stopTomcat.sh script in $SPECROOT/tomcat/bin (Linux/Solaris). 

b. Edit the $SPECROOT/tomcat/webapps/axis2/WEB-INF/web.xml file, and remove the content of AxisAdminServlet's servlet and servlet mapping. 

The content to remove will look like the text below: 

<servlet>
        <servlet-name>
AxisAdminServlet</servlet-name>
        <display-name>Apache-Axis AxisAdmin Servlet (Web Admin)</display-name>
        <servlet-class>
org.apache.axis2.webapp.AxisAdminServlet</servlet-class>
</servlet>

This will be followed further down in the file by the following servlet-mapping section, which also needs to be removed:
 
<servlet-mapping>
        <servlet-name>
AxisAdminServlet</servlet-name>
        <url-pattern>/axis2-admin/*</url-pattern>
</servlet-mapping>


c. Regarding the username/password part, we have two options : 

i. Remove the username/password part from the axis2.xml file or 
ii. Change the username and password parameters in the axis2.xml file to stronger credentials that conform to your organization's password policies. 

<parameter name="userName">admin</parameter>
<parameter name="password">axis2</parameter> 

d. Start the "Spectrum Tomcat Service". 

Additional Information:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0219