geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bohn <joe.b...@earthlink.net>
Subject Re: [SECURITY] Potential vulnerability in Jetty servlet container
Date Wed, 16 Jan 2008 19:40:48 GMT
I've updated this notice with a better location from which to obtain the 
jetty-6.1.7.jar (see below).

Joe Bohn wrote:
> The Geronimo project has learned of a security vulnerability in the 
> Jetty servlet container (6.1.5) included in Geronimo.  If you use a 
> Jetty configuration of Geronimo you may be affected by the vulnerability.
> 
> This vulnerability impacts Jetty configurations of Geronimo 2.0.1 and 
> 2.0.2.
> 
> For specific information regarding the Jetty vulnerability, see
> http://www.kb.cert.org/vuls/id/553235
> 
> The problem is related to the processing of URLs which contain multiple 
> consecutive forward slash (/) characters that are handled incorrectly 
> (for example . http://foo//../bar).
> 
> If your system is susceptible to attacks using such URLs we recommend 
> that you filter these URLs using an application firewall or reverse 
> proxy server.
> 
> Alternatively, you can upgrade your Geronimo Jetty server image to 
> utilize the corrected Jetty 6.1.7 jar:
> - Obtain a jetty-6.1.7.jar from 
http://repo1.maven.org/maven2/org/mortbay/jetty/jetty/6.1.7/jetty-6.1.7.jar
> - Stop your Geronimo Jetty server image
> - copy jetty-6.1.7.jar to 
> <geronimo-root>/repository/org/mortbay/jetty/jetty/6.1.7/jetty-6.1.7.jar
> - remove the jetty 6.1.5 jar: 
> <geronimo-root>/repository/org/mortbay/jetty/jetty/6.1.5/jetty-6.1.5.jar
> - start the Geronimo Jetty server.  The server will now be using the 
> 6.1.7 Jetty jar.
> 
> This vulnerability will be fixed in the next release of Geronimo (2.0.3 
> and/or 2.1) which will include Jetty 6.1.7 correcting the vulnerability.
> 
> 

Mime
View raw message