geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anita Kulshreshtha <a_kuls...@yahoo.com>
Subject Re: MEJB Security Alert
Date Thu, 06 Sep 2007 16:30:52 GMT
   If someone wanted to use MEJB, configuring EJBNetworkService to
listen to only localhost is an option, i.e. only local monitoring can
be done. For  all other cases turning off MEJB is a better option
because it allows people to use remote EJBs.

Thanks
Anita
 
--- Donald Woods <dwoods@apache.org> wrote:

> Why not recommend setting it to only listen for localhost connections
> instead 
> of the default 0.0.0.0 for now, to match the default setting used by
> RemoteDeploy?
> 
> <module name="org.apache.geronimo.configs/openejb/2.0.1/car">
>      <gbean name="EJBNetworkService">
>          <attribute name="host">127.0.0.1</attribute>
>      </gbean>
> </module>
> 
> 
> -Donald
> 
> Anita Kulshreshtha wrote:
> > All, 
> >     We have discovered a security vulnerability in Geronimo, where
> the
> > management EJB (MEJB) allows unchallenged access to Geronimo
> internals.
> > A temporary workaround is to make the following modifications to
> the
> > configuration file at <GERONIMO_HOME>/var/config.xml. This will
> disable
> > MEJB.
> > 
> > <module name="org.apache.geronimo.configs/openejb/2.0.1/car">
> > <gbean name="EJBNetworkService">
> > .........................................
> > </gbean>
> > <gbean load="false" name="ejb/mgmt/MEJB"/>
> > </module>
> > 
> > We will be releasing a new version soon to control access to MEJB
> in a
> > more secure way. This issue will be tracked in
> > https://issues.apache.org/jira/browse/GERONIMO-3456
> > 
> > Thanks
> > Anita
> > 
> > 
> > 
> >        
> >
>
____________________________________________________________________________________
> > Sick sense of humor? Visit Yahoo! TV's 
> > Comedy with an Edge to see what's on, when. 
> > http://tv.yahoo.com/collections/222
> > 
> > 
> 



       
____________________________________________________________________________________
Choose the right car based on your needs.  Check out Yahoo! Autos new Car Finder tool.
http://autos.yahoo.com/carfinder/

Mime
View raw message