geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo > 2.1.x Security Report
Date Wed, 07 Jul 2010 12:59:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=GMOxSITE&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/GMOxSITE/2.1.x+Security+Report">2.1.x
Security Report</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~rickmcguire">Rick
McGuire</a>
    </h4>
        <br/>
                         <h4>Changes (2)</h4>
                                 
    
<div id="page-diffs">
            <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >Please send comments or corrections
for these vulnerabilities to the [Geronimo Security mailing list|mailto:security@geronimo.apache.org].
<br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">*
[Apache Geronimo 2.1.5|#216] <br></td></tr>
            <tr><td class="diff-unchanged" >* [Apache Geronimo 2.1.5|#215] <br>*
[Apache Geronimo 2.1.4|#214] <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >\\ <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h2.
Fixed in Geronimo 2.1.6 {anchor:216} <br>Please visit the [2.1.6 Release Notes|http://cwiki.apache.org/confluence/display/GMOxDOC21/RELEASE-NOTES-2.1.6.TXT]
page for details on all of the included JIRAs. <br> <br>h3. Geronimo Server: <br>h4.
CVE-2010-1632 and CVE-2010-2076: Axis2 and CXF HTTP binding enables DTD based XML attacks.
  <br>A vulnerability was found in both the Axis2 and CXF web services runtime that
can allow an attacker to determine the presence of files on a target server and potentially
extract the content of the target files.  This affects all Geronimo assemblies that include
the Axis2 or CXF runtimes, in particular, the javaee5 Jetty and Tomcat assemblies.  Details
of the vulnerabilities can be found in the following Axis2 and CXF security alerts: <br>
<br>* [https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf]
<br>* [https://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf] <br>
<br>The Apache Geronimo 2.1.6 release includes patches to Axis2 1.3 and Axiom 1.2.5
and an upgrade to CXF 2.1.13.                                            <br> <br>An
alternative workaround, if you choose not to upgrade to Apache Geronimo 2.16, is to disable
the web services runtime or manually patch the server with updated versions of the runtime.
 Instructions for disabling the web services runtime or patching an existing release can be
found here:  <br> <br>* [Geronimo 2.1.x CVE-2010-1632 Patch Instructions|Geronimo
2.1.x CVE-2010-1632 Patch Instructions] <br> <br>JIRA:  [GERONIMO-5383|http://issues.apache.org/jira/browse/GERONIMO-5383]
<br>Affects:  2.1-2.1.5 <br> <br>h3. Geronimo Server: <br>h4. CVE-2010-1622:
Spring Framework execution of arbitrary code <br>The Spring Framework provides a mechanism
to use client provided data to update the properties of an object. This mechanism allows an
attacker to modify the properties of the class loader used to load the object (via &#39;class.classloader&#39;).
This can lead to arbitrary command execution since, for example, an attacker can modify the
URLs used by the class loader to point to locations controlled by the attacker.  Details of
this vulnerability can be found here: <br> <br>* [http://www.securityfocus.com/archive/1/511877/30/0/threaded]
<br> <br>The Apache Geronimo 2.1.6 release includes an upgrade to Spring Framework
v2.5.6.SEC02.  <br> <br>At the current time, there are no known exposures in the
Geronimo server due to this exploit, but applications using the included version of the Spring
Framework may be vulnerable.  An alternative workaround, if you choose not to upgrade to Apache
Geronimo 2.1.6, is to manually patch the server with the updated version of the Spring Framework.
 Instructions for patching an existing release can be found here:  <br> <br>*
[Geronimo Geronimo 2.1.x and 2.2.x Spring Framework SEC02 Patch Instructions|https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.1.x+and+2.2.x+Spring+Framework+SEC02+Patch+Instructions]
<br> <br>JIRA:  [GERONIMO-5387|http://issues.apache.org/jira/browse/GERONIMO-5387]
<br>Affects:  2.1-2.1.5 <br> <br> <br></td></tr>
            <tr><td class="diff-unchanged" >h2. Fixed in Geronimo 2.1.5 {anchor:215}
<br>Please visit the [2.1.5 Release Notes|http://cwiki.apache.org/confluence/display/GMOxDOC21/RELEASE-NOTES-2.1.5.TXT]
page for details on all of the included JIRAs. <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
        </table>
</div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h2><a name="2.1.xSecurityReport-ApacheGeronimo2.1.xvulnerabilities"></a>Apache
Geronimo 2.1.x vulnerabilities</h2>

<p>This page lists all security vulnerabilities fixed in maintenance releases or interim
builds of Apache Geronimo 2.1. Each vulnerability is given a security impact rating by either
the Apache Geronimo team or by the dependent project supplying the fix - please note that
this rating is not uniform and will vary from project to project. We also list the versions
of Apache Geronimo the flaw is known to affect, and where a flaw has not been verified list
the version with a question mark.</p>

<p>Please send comments or corrections for these vulnerabilities to the <a href="mailto:security@geronimo.apache.org"
class="external-link" rel="nofollow">Geronimo Security mailing list</a>.</p>

<ul>
	<li><a href="#2.1.xSecurityReport-216">Apache Geronimo 2.1.5</a></li>
	<li><a href="#2.1.xSecurityReport-215">Apache Geronimo 2.1.5</a></li>
	<li><a href="#2.1.xSecurityReport-214">Apache Geronimo 2.1.4</a></li>
	<li><a href="#2.1.xSecurityReport-213">Apache Geronimo 2.1.3</a></li>
	<li><a href="#2.1.xSecurityReport-212">Apache Geronimo 2.1.2</a></li>
	<li><a href="#2.1.xSecurityReport-211">Apache Geronimo 2.1.1</a></li>
</ul>


<p><br class="atl-forced-newline" /></p>

<h2><a name="2.1.xSecurityReport-OtherKnownVulnerabilities"></a>Other Known
Vulnerabilities</h2>

<p><b>None at this time.</b></p>

<p><br class="atl-forced-newline" /></p>

<h2><a name="2.1.xSecurityReport-FixedinGeronimo2.1.6"></a>Fixed in Geronimo
2.1.6 <a name="2.1.xSecurityReport-216"></a></h2>
<p>Please visit the <a href="http://cwiki.apache.org/confluence/display/GMOxDOC21/RELEASE-NOTES-2.1.6.TXT"
class="external-link" rel="nofollow">2.1.6 Release Notes</a> page for details on
all of the included JIRAs.</p>

<h3><a name="2.1.xSecurityReport-GeronimoServer%3A"></a>Geronimo Server:</h3>
<h4><a name="2.1.xSecurityReport-CVE20101632andCVE20102076%3AAxis2andCXFHTTPbindingenablesDTDbasedXMLattacks."></a>CVE-2010-1632
and CVE-2010-2076: Axis2 and CXF HTTP binding enables DTD based XML attacks.  </h4>
<p>A vulnerability was found in both the Axis2 and CXF web services runtime that can
allow an attacker to determine the presence of files on a target server and potentially extract
the content of the target files.  This affects all Geronimo assemblies that include the Axis2
or CXF runtimes, in particular, the javaee5 Jetty and Tomcat assemblies.  Details of the vulnerabilities
can be found in the following Axis2 and CXF security alerts:</p>

<ul>
	<li><a href="https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf"
class="external-link" rel="nofollow">https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf</a></li>
	<li><a href="https://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf"
class="external-link" rel="nofollow">https://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf</a></li>
</ul>


<p>The Apache Geronimo 2.1.6 release includes patches to Axis2 1.3 and Axiom 1.2.5 and
an upgrade to CXF 2.1.13.                                           </p>

<p>An alternative workaround, if you choose not to upgrade to Apache Geronimo 2.16,
is to disable the web services runtime or manually patch the server with updated versions
of the runtime.  Instructions for disabling the web services runtime or patching an existing
release can be found here: </p>

<ul>
	<li><a href="/confluence/display/GMOxSITE/Geronimo+2.1.x+CVE-2010-1632+Patch+Instructions"
title="Geronimo 2.1.x CVE-2010-1632 Patch Instructions">Geronimo 2.1.x CVE-2010-1632 Patch
Instructions</a></li>
</ul>


<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-5383" class="external-link"
rel="nofollow">GERONIMO-5383</a><br/>
Affects:  2.1-2.1.5</p>

<h3><a name="2.1.xSecurityReport-GeronimoServer%3A"></a>Geronimo Server:</h3>
<h4><a name="2.1.xSecurityReport-CVE20101622%3ASpringFrameworkexecutionofarbitrarycode"></a>CVE-2010-1622:
Spring Framework execution of arbitrary code</h4>
<p>The Spring Framework provides a mechanism to use client provided data to update the
properties of an object. This mechanism allows an attacker to modify the properties of the
class loader used to load the object (via 'class.classloader'). This can lead to arbitrary
command execution since, for example, an attacker can modify the URLs used by the class loader
to point to locations controlled by the attacker.  Details of this vulnerability can be found
here:</p>

<ul>
	<li><a href="http://www.securityfocus.com/archive/1/511877/30/0/threaded" class="external-link"
rel="nofollow">http://www.securityfocus.com/archive/1/511877/30/0/threaded</a></li>
</ul>


<p>The Apache Geronimo 2.1.6 release includes an upgrade to Spring Framework v2.5.6.SEC02.
</p>

<p>At the current time, there are no known exposures in the Geronimo server due to this
exploit, but applications using the included version of the Spring Framework may be vulnerable.
 An alternative workaround, if you choose not to upgrade to Apache Geronimo 2.1.6, is to manually
patch the server with the updated version of the Spring Framework.  Instructions for patching
an existing release can be found here: </p>

<ul>
	<li><a href="https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.1.x+and+2.2.x+Spring+Framework+SEC02+Patch+Instructions"
class="external-link" rel="nofollow">Geronimo Geronimo 2.1.x and 2.2.x Spring Framework
SEC02 Patch Instructions</a></li>
</ul>


<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-5387" class="external-link"
rel="nofollow">GERONIMO-5387</a><br/>
Affects:  2.1-2.1.5</p>


<h2><a name="2.1.xSecurityReport-FixedinGeronimo2.1.5"></a>Fixed in Geronimo
2.1.5 <a name="2.1.xSecurityReport-215"></a></h2>
<p>Please visit the <a href="http://cwiki.apache.org/confluence/display/GMOxDOC21/RELEASE-NOTES-2.1.5.TXT"
class="external-link" rel="nofollow">2.1.5 Release Notes</a> page for details on
all of the included JIRAs.</p>

<h2><a name="2.1.xSecurityReport-FixedinGeronimo2.1.4"></a>Fixed in Geronimo
2.1.4 <a name="2.1.xSecurityReport-214"></a></h2>
<p>Please visit the <a href="http://cwiki.apache.org/confluence/display/GMOxDOC21/RELEASE-NOTES-2.1.4.TXT"
class="external-link" rel="nofollow">2.1.4 Release Notes</a> page for details on
all of the included JIRAs.</p>

<h3><a name="2.1.xSecurityReport-GeronimoServer"></a>Geronimo Server</h3>
<p>Included patch to close potential denial of service attack vector (OOM) in Tomcat
session handling</p>

<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-3838" class="external-link"
rel="nofollow">GERONIMO-3838</a><br/>
Affects:  2.1-2.1.3</p>

<h3><a name="2.1.xSecurityReport-GeronimoAdminConsole%3A"></a>Geronimo Admin
Console:</h3>
<h4><a name="2.1.xSecurityReport-CVE20085518%3AApacheGeronimowebadministrationconsoledirectorytraversalvulnerabilities."></a>CVE-2008-5518:
Apache Geronimo web administration console directory traversal vulnerabilities.</h4>
<p>A vulnerability was found in several portlets including Services/Repository, Embedded
DB/DB Manager, and Security/Keystores when running the Apache Geronimo server on Windows.
This issue may allow a remote attacker to upload any file in any directory.  This affects
all full JavaEE Geronimo assemblies or other distributions which include the administration
web console up to and including Apache Geronimo 2.1.3. An alternative workaround (if you choose
to not upgrade to Apache Geronimo 2.1.4) would be to stop or undeploy the administration web
console application in the server.<br/>
Credit: The Apache Geronimo project would like to thank Digital Security Research Group (dsecrg.com)
for responsibly reporting this issue and assisting us with validating  our fixes.</p>

<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-4597" class="external-link"
rel="nofollow">GERONIMO-4597</a><br/>
Affects:  2.1-2.1.3</p>

<h4><a name="2.1.xSecurityReport-CVE20090038%3AApacheGeronimowebadministrationconsoleXSSvulnerabilities"></a>CVE-2009-0038:
Apache Geronimo web administration console XSS vulnerabilities</h4>
<p>Various linked and stored cross-site scripting (XSS) vulnerabilities were found in
the Apache Geronimo administrative console and related utilities.  Using this vulnerability
an attacker can steal an administrator's cookie and then authenticate as administrator or
perform certain administrative actions. For example, a user can inject XSS in some URLs or
in several input fields in various portlets.  This affects all full JavaEE Geronimo assemblies
or other distributions which include the administration web console up to and including Apache
Geronimo 2.1.3.  An alternative workaround (if you choose to not upgrade to Apache Geronimo
2.1.4) would be to stop or undeploy the administration web console application in the server.<br/>
Credit: The Apache Geronimo project would like to thank Digital Security Research Group (dsecrg.com)
and Marc Schoenefeld (Red Hat Security Response Team) for responsibly reporting this issue
and assisting us with validating our fixes.</p>

<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-4597" class="external-link"
rel="nofollow">GERONIMO-4597</a><br/>
Affects:  2.1-2.1.3</p>


<h4><a name="2.1.xSecurityReport-CVE20090039%3AApacheGeronimowebadministrationconsoleXSRFvulnerabilities"></a>CVE-2009-0039:
Apache Geronimo web administration console XSRF vulnerabilities</h4>
<p>Various cross-site request forgery (XSRF or CSRF) vulnerabilities were identified
in the Apache Geronimo web administration console. Exploiting these issues may allow a remote
attacker to perform certain administrative actions, e.g. change web administration password,
upload applications, etc... using predictable URL requests once the user has authenticated
and obtained a valid session with the server.  This affects all full JavaEE Geronimo assemblies
or other distributions which include the administration web console up to and including Apache
Geronimo 2.1.3.  An alternative workaround (if you choose to not upgrade to Apache Geronimo
2.1.4) would be to stop or undeploy the administration web console application in the server.<br/>
Credit: The Apache Geronimo project would like to thank Digital Security Research Group (dsecrg.com)
for responsibly reporting this issue and assisting us with validating our fixes. </p>

<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-4597" class="external-link"
rel="nofollow">GERONIMO-4597</a><br/>
Affects:  2.1-2.1.3</p>


<p><br class="atl-forced-newline" /></p>

<h2><a name="2.1.xSecurityReport-FixedinGeronimo2.1.3"></a>Fixed in Geronimo
2.1.3 <a name="2.1.xSecurityReport-213"></a></h2>
<p>Please visit the <a href="http://cwiki.apache.org/confluence/display/GMOxDOC21/RELEASE-NOTES-2.1.3.TXT"
class="external-link" rel="nofollow">2.1.3 Release Notes</a> page for details on
all of the included JIRAs.</p>

<h3><a name="2.1.xSecurityReport-DWR"></a>DWR</h3>
<p>Upgraded from DWR 2.0.3 to 2.0.5 to include the following security fixes -</p>
<ul>
	<li><a href="http://directwebremoting.org/dwr/changelog/dwr20" class="external-link"
rel="nofollow">DWR version 2.0.5 fixed 1 XSS vulnerabilities in r2077</a>
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
<pre>r2077 | joe | 2008-06-22 09:28:22 -0400 (Sun, 22 Jun 2008) | 7 lines

Fix for XSS issue in ExceptionHandler:

PartialResponse.fromOrdinal() throws a NumberFormatException trying to
parse the 'partialResponse' parameter.  This exception is never caught,
prompting UrlProcessor to invoke DWR's default ExceptionHandler class,
which calls out.println(cause.getMessage()), thereby causing the XSS.
</pre>
</div></div></li>
</ul>


<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-4266" class="external-link"
rel="nofollow">GERONIMO-4266</a><br/>
Affects:  2.1-2.1.2</p>

<h3><a name="2.1.xSecurityReport-ActiveMQ"></a>ActiveMQ</h3>
<p>Included ActiveMQ patch for the following security exposure -</p>
<ul>
	<li><a href="https://issues.apache.org/activemq/browse/AMQ-1272" class="external-link"
rel="nofollow">AMQ-1272</a> - Stomp protocol does not correctly check authentication
(security hole)</li>
</ul>


<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-4262" class="external-link"
rel="nofollow">GERONIMO-4262</a><br/>
Affects:  2.1-2.1.2</p>

<h3><a name="2.1.xSecurityReport-Tomcat"></a>Tomcat</h3>
<p>Upgraded from Tomcat 6.0.16 to 6.0.18 to include the following security fixes -</p>
<ul>
	<li>low: Cross-site scripting <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232"
class="external-link" rel="nofollow">CVE-2008-1232</a></li>
	<li>low: Cross-site scripting <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947"
class="external-link" rel="nofollow">CVE-2008-1947</a></li>
	<li>important: Information disclosure <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370"
class="external-link" rel="nofollow">CVE-2008-2370</a></li>
	<li>moderate: Directory traversal <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938"
class="external-link" rel="nofollow">CVE-2008-2938</a></li>
</ul>


<p>For more details on each fix, please visit the <a href="http://tomcat.apache.org/security-6.html"
class="external-link" rel="nofollow">Tomcat 6.x Security</a> page.</p>

<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-4245" class="external-link"
rel="nofollow">GERONIMO-4245</a><br/>
Affects:  2.1-2.1.2</p>

<p><br class="atl-forced-newline" /></p>

<h2><a name="2.1.xSecurityReport-FixedinGeronimo2.1.2"></a>Fixed in Geronimo
2.1.2 <a name="2.1.xSecurityReport-212"></a></h2>

<h3><a name="2.1.xSecurityReport-DWR"></a>DWR</h3>
<p>Upgraded from DWR 2.0.1 to 2.0.3 to include the following security fixes -</p>
<ul>
	<li><a href="http://directwebremoting.org/dwr/changelog/dwr20" class="external-link"
rel="nofollow">DWR version 2.0.1 and before contained 2 XSS vulnerabilities.</a></li>
</ul>


<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-4116" class="external-link"
rel="nofollow">GERONIMO-4116</a><br/>
Affects:  2.1-2.1.1</p>

<h3><a name="2.1.xSecurityReport-Tomcat"></a>Tomcat</h3>
<p>Upgraded from Tomcat 6.0.14 to 6.0.16 to include the following security fixes -</p>
<ul>
	<li>low: Session hi-jacking <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333"
class="external-link" rel="nofollow">CVE-2007-5333</a></li>
	<li>low: Elevated privileges <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342"
class="external-link" rel="nofollow">CVE-2007-5342</a></li>
	<li>important: Information disclosure <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461"
class="external-link" rel="nofollow">CVE-2007-5461</a></li>
	<li>important: Data integrity <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286"
class="external-link" rel="nofollow">CVE-2007-6286</a></li>
	<li>important: Information disclosure <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0002"
class="external-link" rel="nofollow">CVE-2008-0002</a></li>
</ul>


<p>For more details on each fix, please visit the <a href="http://tomcat.apache.org/security-6.html"
class="external-link" rel="nofollow">Tomcat 6.x Security</a> page.</p>

<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-4085" class="external-link"
rel="nofollow">GERONIMO-4085</a><br/>
Affects:  2.1-2.1.1</p>

<p><br class="atl-forced-newline" /></p>

<h2><a name="2.1.xSecurityReport-FixedinGeronimo2.1.1"></a>Fixed in Geronimo
2.1.1 <a name="2.1.xSecurityReport-211"></a></h2>

<h3><a name="2.1.xSecurityReport-None"></a>None</h3>

<p><br class="atl-forced-newline" /></p>

    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/GMOxSITE/2.1.x+Security+Report">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=93182&revisedVersion=17&originalVersion=16">View
Changes</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message