SSRF in Apache Axis 1.4
CVE-2019-0227 is a server-side request forgery (SSRF) vulnerability in the Apache Axis 1.4 distribution. The issue affects the legacy Axis 1.x codebase; the vulnerable 1.4 binary distribution was last released in 2006. The provided content identifies the flaw as allowing attacker-controlled server-side outbound requests from the vulnerable Axis instance. The successor product, Apache Axis2, including version 1.7.9 referenced in the content, is stated to be unaffected.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
Repository contains two standalone Python exploit implementations for Apache Axis CVE-2019-0227, plus README documentation for each technique. It is not part of a larger exploit framework. The top-level README describes both approaches and usage. Code files are jsp-webshell/axis_exp.py and freemarker-exec/axis_exp_Freemarker.py. The JSP-webshell variant is a full remote code execution exploit that abuses /services/AdminService to deploy a malicious Axis service with a requestFlow handler of type org.apache.axis.handlers.LogHandler. That handler is configured to write attacker-controlled request content to ../webapps/ROOT/<random>.jsp. The script then POSTs JSP code to the newly deployed random service endpoint, causing the JSP webshell to be written to disk. Finally it verifies and uses the webshell via HTTP GET with parameter cmd to execute arbitrary OS commands. It supports random service and shell names, optional HTTP Basic authentication, single-command execution, and an interactive loop. This variant leaves a file artifact on the target. The Freemarker variant is a fileless RCE exploit. It also abuses /services/AdminService, but instead deploys a service whose className is freemarker.template.utility.Execute with allowedMethods=*. After successful deployment, it sends SOAP requests directly to /services/<random> invoking exec with an attacker-supplied command string. Command output is parsed from <execReturn> in the SOAP response. It supports optional HTTP Basic authentication, single-command execution, and an interactive loop. This variant is stealthier because it does not write a webshell, but it depends on freemarker.jar being present on the target. Overall purpose: automate exploitation of vulnerable Apache Axis 1.4 instances where remote administration is enabled, yielding arbitrary command execution. Main fingerprintable targets are the Axis AdminService endpoint, dynamically created service endpoints under /services/, the JSP shell path in the web root, and the target-side file path ../webapps/ROOT/<random>.jsp. The repository is a real exploit set, not merely documentation or a scanner.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.