geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bohn <joe.b...@earthlink.net>
Subject [SECURITY] Web Administration Console vulnerabilities
Date Tue, 31 Mar 2009 16:24:31 GMT
The Apache Geronimo project has learned of several security 
vulnerabilities in the Geronimo Administration Console.  If you use a 
full javaee5 configuration of the Geronimo server or have installed the 
console into another Geronimo server configuration you may be affected 
by these vulnerabilities.

The vulnerabilities affect all full JavaEE Geronimo assemblies or other 
distributions that include the administration web console up to and 
including Apache Geronimo 2.1.3.

The vulnerabilities are in the areas of directory traversal from the 
administration console as well as XSS and XSRF exposures.  All 
vulnerabilities have been addressed in the newly released Geronimo 2.1.4 
server currently available for download at: 
http://geronimo.apache.org/downloads.html

For specific information regarding the vulnerabilities please see the 
security report:
http://geronimo.apache.org/21x-security-report.html

The Apache Geronimo project would like to thank Digital Security 
Research Group (dsecrg.com) and Marc Schoenefeld (Red Hat Security 
Response Team) for responsibly reporting these issues and assisting us 
with validating our fixes.



Mime
View raw message