geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Donald Woods <dwo...@apache.org>
Subject Re: MEJB Security Alert
Date Thu, 06 Sep 2007 15:58:57 GMT
Why not recommend setting it to only listen for localhost connections instead 
of the default 0.0.0.0 for now, to match the default setting used by RemoteDeploy?

<module name="org.apache.geronimo.configs/openejb/2.0.1/car">
     <gbean name="EJBNetworkService">
         <attribute name="host">127.0.0.1</attribute>
     </gbean>
</module>


-Donald

Anita Kulshreshtha wrote:
> All, 
>     We have discovered a security vulnerability in Geronimo, where the
> management EJB (MEJB) allows unchallenged access to Geronimo internals.
> A temporary workaround is to make the following modifications to the
> configuration file at <GERONIMO_HOME>/var/config.xml. This will disable
> MEJB.
> 
> <module name="org.apache.geronimo.configs/openejb/2.0.1/car">
> <gbean name="EJBNetworkService">
> .........................................
> </gbean>
> <gbean load="false" name="ejb/mgmt/MEJB"/>
> </module>
> 
> We will be releasing a new version soon to control access to MEJB in a
> more secure way. This issue will be tracked in
> https://issues.apache.org/jira/browse/GERONIMO-3456
> 
> Thanks
> Anita
> 
> 
> 
>        
> ____________________________________________________________________________________
> Sick sense of humor? Visit Yahoo! TV's 
> Comedy with an Edge to see what's on, when. 
> http://tv.yahoo.com/collections/222
> 
> 

Mime
View raw message