geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anita Kulshreshtha <a_kuls...@yahoo.com>
Subject MEJB Security Alert
Date Thu, 06 Sep 2007 13:46:21 GMT
All, 
    We have discovered a security vulnerability in Geronimo, where the
management EJB (MEJB) allows unchallenged access to Geronimo internals.
A temporary workaround is to make the following modifications to the
configuration file at <GERONIMO_HOME>/var/config.xml. This will disable
MEJB.

<module name="org.apache.geronimo.configs/openejb/2.0.1/car">
<gbean name="EJBNetworkService">
.........................................
</gbean>
<gbean load="false" name="ejb/mgmt/MEJB"/>
</module>

We will be releasing a new version soon to control access to MEJB in a
more secure way. This issue will be tracked in
https://issues.apache.org/jira/browse/GERONIMO-3456

Thanks
Anita



       
____________________________________________________________________________________
Sick sense of humor? Visit Yahoo! TV's 
Comedy with an Edge to see what's on, when. 
http://tv.yahoo.com/collections/222

Mime
View raw message