geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bohn <joe.b...@earthlink.net>
Subject [SECURITY] Potential vulnerability in Jetty servlet container
Date Mon, 14 Jan 2008 19:49:19 GMT
The Geronimo project has learned of a security vulnerability in the 
Jetty servlet container (6.1.5) included in Geronimo.  If you use a 
Jetty configuration of Geronimo you may be affected by the vulnerability.

This vulnerability impacts Jetty configurations of Geronimo 2.0.1 and 2.0.2.

For specific information regarding the Jetty vulnerability, see
http://www.kb.cert.org/vuls/id/553235

The problem is related to the processing of URLs which contain multiple 
consecutive forward slash (/) characters that are handled incorrectly 
(for example . http://foo//../bar).

If your system is susceptible to attacks using such URLs we recommend 
that you filter these URLs using an application firewall or reverse 
proxy server.

Alternatively, you can upgrade your Geronimo Jetty server image to 
utilize the corrected Jetty 6.1.7 jar:
- Obtain a jetty-6.1.7.jar from 
http://repository.codehaus.org/org/mortbay/jetty/jetty/6.1.7/
- Stop your Geronimo Jetty server image
- copy jetty-6.1.7.jar to 
<geronimo-root>/repository/org/mortbay/jetty/jetty/6.1.7/jetty-6.1.7.jar
- remove the jetty 6.1.5 jar: 
<geronimo-root>/repository/org/mortbay/jetty/jetty/6.1.5/jetty-6.1.5.jar
- start the Geronimo Jetty server.  The server will now be using the 
6.1.7 Jetty jar.

This vulnerability will be fixed in the next release of Geronimo (2.0.3 
and/or 2.1) which will include Jetty 6.1.7 correcting the vulnerability.


Mime
View raw message