[ic] Serious SOAP::Lite security hole discovered

Jon Jensen interchange-users@interchange.redhat.com
Wed Apr 10 14:38:01 2002


Dear Interchange users:

Since version 4.7.1, Interchange has had support for the SOAP protocol,
which allows different systems to make remote procedure calls to each
other. This is implemented via the Perl SOAP::Lite module available on
CPAN.

A serious security hole in the SOAP::Lite module was explained in detail
in Phrack 58:

http://www.phrack.com/show.php?p=58&a=9

and recently reported and discussed on Use Perl:

http://use.perl.org/articles/02/04/09/000212.shtml?tid=5

Interchange has always had the SOAP service turned off by default. The
global configuration directive 'SOAP' has not even been placed in a
interchange.cfg comment, as is sometimes done for illustration purposes,
so only a tiny minority of Interchange installations should be vulnerable
to this problem.

There currently is no fixed version of SOAP::Lite available, and when one 
is released, it may or may not be compatible with Interchange. A patch is 
mentioned in the Use Perl article, but we have not tested it.

For maximum security, we recommend anyone using SOAP in Interchange
consider disabling it if it's not critical to operations. Otherwise,
consider limiting access to the TCP port used for SOAP by standard
firewalling (ipchains, iptables, ipfw) or a proxy.

Jon