geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo > Geronimo 2.1.x CVE-2010-1632 Patch Instructions
Date Wed, 07 Jul 2010 10:55:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=GMOxSITE&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.1.x+CVE-2010-1632+Patch+Instructions">Geronimo
2.1.x CVE-2010-1632 Patch Instructions</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~rickmcguire">Rick
McGuire</a>
    </h4>
        <br/>
                         <h4>Changes (0)</h4>
                                 
    
<div id="page-diffs">
            <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >* Place the downloaded jars in the
repository locations &lt;GERONIMO_HOME&gt;/repository/org/apache/axis2/axis2-kernel/1.3-G20100610/
and &lt;GERONIMO_HOME&gt;/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5-G201100610/,
respectively. <br>* Open the &lt;GERONIMO_HOME&gt;/var/config/artifact_aliases.properties
in edit mode and add the following entries: <br></td></tr>
            <tr><td class="diff-unchanged" >** org.apache.axis2/axis2-kernel//jar=org.apache.axis2/axis2-kernel/1.3-G20100610/jar
<br>** org.apache.axis2/axis2-kernel/1.3-G20100610/jar=org.apache.axis2/axis2-kernel/1.3-G20100610/jar
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >* Make a backup of &lt;GERONIMO_HOME&gt;/repository/org/apache/cxf
directory. Once done delete the directory &lt;GERONIMO_HOME&gt;/repository/org/apache/cxf.
<br>* Download the 2.0.13 version of all jars present in the cxf repository directory
from [http://repo1.maven.org/maven2/org/apache/cxf/].&amp;nbsp; For example, cxf-common-utilities-2.0.13.jar
 can be downloaded from [http://repo1.maven.org/maven2/org/apache/cxf/cxf-common-utilities/2.0.13/].
The following jars are required: <br></td></tr>
            <tr><td class="diff-unchanged" >** [http://repo1.maven.org/maven2/org/apache/cxf/cxf-api/2.0.13/cxf-api-2.0.13-jar]
<br>** [http://repo1.maven.org/maven2/org/apache/cxf/cxf-common-utilities/2.0.13/cxf-common-utilities-2.0.13-jar]
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >* Copy all the jars according to the
original repository directory, using the new version numbers.  For example, copy cxf-common-utilities-2.0.13.jar
to &lt;GERONIMO_HOME&gt;/repository/org/apache/cxf/cxf-common-utilities/2.0.13/ <br>*
Launch &lt;GERONIMO_HOME&gt;/var/config/artifact-aliases.properties in edit mode and
add the following entries: <br></td></tr>
            <tr><td class="diff-unchanged" >** org.apache.cxf/cxf-common-utilities//jar=org.apache.cxf/cxf-common-utilities/2.0.13/jar
<br>** org.apache.cxf/cxf-common-utilities/2.0.12/jar=org.apache.cxf/cxf-common-utilities/2.0.13/jar
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
        </table>
</div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="Geronimo2.1.xCVE-2010-1632PatchInstructions-Geronimo2.1.xPatchInstructionsforCVE20101632andCVE20102076"></a>Geronimo
2.1.x Patch Instructions for CVE-2010-1632 and CVE-2010-2076</h1>

<p>The Axis2 team has recently discovered a security vulnerability which may allow a
remote attacker to launch a denial of service attack. It is also possible for the attacker
to steal information from the machine which is running the web services. For more information
on this security vulnerability please refer the following document:</p>

<ul>
	<li><a href="https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf"
class="external-link" rel="nofollow">https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf</a></li>
</ul>


<p>A similar vulnerability is found in the Apache CXF web services runtime as well.
 The CXF vulnerability is documented in the following document:</p>

<ul>
	<li><a href="https://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf"
class="external-link" rel="nofollow">https://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf</a></li>
</ul>


<h2><a name="Geronimo2.1.xCVE-2010-1632PatchInstructions-HowisApacheGeronimoAffected%3F"></a>How
is Apache Geronimo Affected?</h2>

<p>Apache Geronimo includes both Apache Axis2 and Apache CXF as the web services runtimes.&nbsp;
As a result, web services running on Apache Geronimo are vulnerable to this security issue.</p>

<p>These issues have been fixed in Apache CXF v2.0.13 and the Axis2 and Axiom versions
used by Apache Geronimo.</p>

<h2><a name="Geronimo2.1.xCVE-2010-1632PatchInstructions-HowcanIavoidthesevulnerabilitiesinApacheGeronimov2.1.x%3F"></a>How
can I avoid these vulnerabilities in Apache Geronimo v2.1.x?</h2>

<p>It is recommended that you move to Apache Geronimo v2.1.6.  Version 2.1.6 includes
the fixes to this vulnerability.</p>

<p>If you wish to remain on an existing version of Geronimo, the installation can be
patched to avoid the vulnerability or, if you are not using the web services support, you
can explicitly disable the web services to remove the vulnerability.  To disable the web services,
make the following updates to &lt;GERONIMO_HOME&gt;/var/config/config.xml file:</p>
<ol>
	<li>Remove the condition attribute and add the load="false"  attribute to org.apache.geronimo.configs/cxf-deployer//car
module.</li>
	<li>Remove the condition attribute and add the load="false" attribute to org.apache.geronimo.configs/axis2-deployer//car
module.</li>
</ol>


<h3><a name="Geronimo2.1.xCVE-2010-1632PatchInstructions-UpgradingAxis2andCXFonanexistingserver"></a>Upgrading
Axis2 and CXF on an existing server</h3>


<h4><a name="Geronimo2.1.xCVE-2010-1632PatchInstructions-UpgradingAxis2"></a>Upgrading
Axis2</h4>

<p>Follow these steps if you are using Apache Axis2 as the web services runtime in Geronimo
v2.1.x.  By default, the Geronimo Tomcat assembly uses Axis2 as the web services runtime.
These upgrade instructions can only work with the 2.1.4 and 2.1.5 versions of Apache Geronimo.&nbsp;
If you are using an earlier server release, an upgrade to a newer release is required.</p>


<ul>
	<li>If your server is running stop the server.</li>
	<li>Make a backup of &lt;GERONIMO_HOME&gt;/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
and &lt;GERONIMO_HOME&gt;/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar.</li>
	<li>Once done, delete the directories &lt;GERONIMO_HOME&gt;/repository/org/apache/axis2/axis2-kernel/1.3-G20090406
and &lt;GERONIMO_HOME&gt;/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5.</li>
	<li>Download the jars <a href="http://www.apache.org/dist/geronimo/2.1.6/axis2-kernel-1.3-G20100610.jar"
class="external-link" rel="nofollow">http://www.apache.org/dist/geronimo/2.1.6/axis2-kernel-1.3-G20100610.jar</a>
and <a href="http://www.apache.org/dist/geronimo/2.1.6/axiom-api-1.2.5-20100610.jar" class="external-link"
rel="nofollow">http://www.apache.org/dist/geronimo/2.1.6/axiom-api-1.2.5-20100610.jar</a></li>
	<li>Place the downloaded jars in the repository locations &lt;GERONIMO_HOME&gt;/repository/org/apache/axis2/axis2-kernel/1.3-G20100610/
and &lt;GERONIMO_HOME&gt;/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5-G201100610/,
respectively.</li>
	<li>Open the &lt;GERONIMO_HOME&gt;/var/config/artifact_aliases.properties in
edit mode and add the following entries:
	<ul>
		<li>org.apache.axis2/axis2-kernel//jar=org.apache.axis2/axis2-kernel/1.3-G20100610/jar</li>
		<li>org.apache.axis2/axis2-kernel/1.3-G20100610/jar=org.apache.axis2/axis2-kernel/1.3-G20100610/jar</li>
		<li>org.apache.ws.commons.axiom/axiom-api//jar = org.apache.ws.commons.axiom/axiom-api/1.2.5-20100610/jar</li>
		<li>org.apache.ws.commons.axiom/axiom-api/1.2.5/jar = org.apache.ws.commons.axiom/axiom-api/1.2.5-20100610/jar</li>
	</ul>
	</li>
</ul>


<ul>
	<li>Start the server.</li>
</ul>




<h4><a name="Geronimo2.1.xCVE-2010-1632PatchInstructions-UpgradingCXF"></a>Upgrading
CXF</h4>

<p>Follow these steps if you are using Apache CXF as the web services runtime in Apache
Geronimo v2.1.x. By default Geronimo Jetty assembly uses CXF as the web services runtime.</p>



<ul>
	<li>If your server is running, stop the server.</li>
	<li>Make a backup of &lt;GERONIMO_HOME&gt;/repository/org/apache/cxf directory.
Once done delete the directory &lt;GERONIMO_HOME&gt;/repository/org/apache/cxf.</li>
	<li>Download the 2.0.13 version of all jars present in the cxf repository directory
from <a href="http://repo1.maven.org/maven2/org/apache/cxf/" class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/</a>.&nbsp;
For example, cxf-common-utilities-2.0.13.jar  can be downloaded from <a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-common-utilities/2.0.13/"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-common-utilities/2.0.13/</a>.
The following jars are required:
	<ul>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-api/2.0.13/cxf-api-2.0.13-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-api/2.0.13/cxf-api-2.0.13-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-common-utilities/2.0.13/cxf-common-utilities-2.0.13-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-common-utilities/2.0.13/cxf-common-utilities-2.0.13-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-bindings-soap/2.0.13/cxf-rt-bindings-soap-2.0.13-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-bindings-soap/2.0.13/cxf-rt-bindings-soap-2.0.13-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-bindings-xml/2.0.13/cxf-rt-bindings-xml-2.0.13-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-bindings-xml/2.0.13/cxf-rt-bindings-xml-2.0.13-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-core/2.0.13/cxf-rt-core-2.0.13-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-core/2.0.13/cxf-rt-core-2.0.13-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-databinding-jaxb/2.0.13/cxf-rt-databinding-jaxb-2.0.13-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-databinding-jaxb/2.0.13/cxf-rt-databinding-jaxb-2.0.13-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-frontend-jaxws/2.0.13/cxf-rt-frontend-jaxws-2.0.13-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-frontend-jaxws/2.0.13/cxf-rt-frontend-jaxws-2.0.13-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-frontend-simple/2.0.13/cxf-rt-frontend-simple-2.0.13-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-frontend-simple/2.0.13/cxf-rt-frontend-simple-2.0.13-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-transports-http/2.0.13/cxf-rt-transports-http-2.0.13-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-transports-http/2.0.13/cxf-rt-transports-http-2.0.13-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-common/2.0.13/cxf-tools-common-2.0.13-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-common/2.0.13/cxf-tools-common-2.0.13-jar</a></li>
	</ul>
	</li>
</ul>



<ul>
	<li>Copy all the jars according to the original repository directory, using the new
version numbers.  For example, copy cxf-common-utilities-2.0.13.jar to &lt;GERONIMO_HOME&gt;/repository/org/apache/cxf/cxf-common-utilities/2.0.13/</li>
	<li>Launch &lt;GERONIMO_HOME&gt;/var/config/artifact-aliases.properties in
edit mode and add the following entries:
	<ul>
		<li>org.apache.cxf/cxf-common-utilities//jar=org.apache.cxf/cxf-common-utilities/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-common-utilities/2.0.12/jar=org.apache.cxf/cxf-common-utilities/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-api//jar=org.apache.cxf/cxf-api/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-api/2.0.12/jar=org.apache.cxf/cxf-api/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-rt-bindings-soap//jar=org.apache.cxf/cxf-rt-bindings-soap/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-rt-bindings-soap/2.0.12/jar=org.apache.cxf/cxf-rt-bindings-soap/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-rt-bindings-xml//jar=org.apache.cxf/cxf-rt-bindings-xml/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-rt-bindings-xml/2.0.12/jar=org.apache.cxf/cxf-rt-bindings-xml/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-rt-core//jar=org.apache.cxf/cxf-rt-core/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-rt-core/2.0.12/jar=org.apache.cxf/cxf-rt-core/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-rt-databinding-jaxb//jar=org.apache.cxf/cxf-rt-databinding-jaxb/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-rt-databinding-jaxb/2.0.12/jar=org.apache.cxf/cxf-rt-databinding-jaxb/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-rt-frontend-jaxws//jar=org.apache.cxf/cxf-rt-frontend-jaxws/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-rt-frontend-jaxws/2.0.12/jar=org.apache.cxf/cxf-rt-frontend-jaxws/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-rt-frontend-simple//jar=org.apache.cxf/cxf-rt-frontend-simple/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-rt-frontend-simple/2.0.12/jar=org.apache.cxf/cxf-rt-frontend-simple/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-rt-transports-http//jar=org.apache.cxf/cxf-rt-transports-http/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-rt-transports-http/2.0.12/jar=org.apache.cxf/cxf-rt-transports-http/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-tools-common//jar=org.apache.cxf/cxf-tools-common/2.0.13/jar</li>
		<li>org.apache.cxf/cxf-tools-common/2.0.12/jar=org.apache.cxf/cxf-tools-common/2.0.13/jar</li>
	</ul>
	</li>
</ul>



<ul>
	<li>Start the server</li>
</ul>

    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.1.x+CVE-2010-1632+Patch+Instructions">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=23332000&revisedVersion=2&originalVersion=1">View
Changes</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message