geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo > 2.2.x Security Report
Date Wed, 07 Jul 2010 13:11:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=GMOxSITE&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/GMOxSITE/2.2.x+Security+Report">2.2.x
Security Report</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~rickmcguire">Rick
McGuire</a>
    </h4>
        <br/>
                         <h4>Changes (5)</h4>
                                 
    
<div id="page-diffs">
            <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >\\ <br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h2.
TBD <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">\\
<br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">Apache
Geronimo 2.2 has not been released yet, but Geronimo trunk (2.2-SNAPSHOT) does include all
of the security fixes that have been applied to branches/2.1 and documented on the [Geronimo
2.1.x Security|2.1.x Security Report] page. <br> <br>Please visit the [Apache
Geronimo 2.2 Release Status|http://cwiki.apache.org/confluence/display/GMOxPMGT/Geronimo+2.2+Release+Status]
page for planned release content and dates. <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h2.
Known Vulnerabilities <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h3.
Geronimo Server: <br>h4. CVE-2010-1632 and CVE-2010-2076: Axis2 and CXF HTTP binding
enables DTD based XML attacks.   <br>A vulnerability was found in both the Axis2 and
CXF web services runtime that can allow an attacker to determine the presence of files on
a target server and potentially extract the content of the target files.  This affects all
Geronimo assemblies that include the Axis2 or CXF runtimes, in particular, the javaee5 Jetty
and Tomcat assemblies.  Details of the vulnerabilities can be found in the following Axis2
and CXF security alerts: <br> <br>* [https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf]
<br>* [https://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf] <br>
<br>The CXF vulnerabilities are fixed in CXF 2.1.10.  The Axis2 vulnerability will be
fixed in Axis2 1.5.2 and Axiom 1.2.9.  The Axis2 and Axiom releases are not yet available,
but patch versions can be built from the project source trees.  The updated versions will
be included in an upcoming Apache Geronimo 2.2.1 release.  <br> <br>As an immediate
workaround, you can disable the web services runtime or manually patch the server with updated
versions of the runtime.  Instructions for disabling the web services runtime or patching
an existing release can be found here:  <br> <br>* [Geronimo 2.2.x CVE-2010-1632
Patch Instructions|Geronimo 2.2.x CVE-2010-1632 Patch Instructions] <br> <br>JIRA:
 [GERONIMO-5383|http://issues.apache.org/jira/browse/GERONIMO-5383] <br>Affects:  2.2
<br> <br>h3. Geronimo Server: <br>h4. CVE-2010-1622: Spring Framework execution
of arbitrary code <br>The Spring Framework provides a mechanism to use client provided
data to update the properties of an object. This mechanism allows an attacker to modify the
properties of the class loader used to load the object (via &#39;class.classloader&#39;).
This can lead to arbitrary command execution since, for example, an attacker can modify the
URLs used by the class loader to point to locations controlled by the attacker.  Details of
this vulnerability can be found here: <br> <br>* [http://www.securityfocus.com/archive/1/511877/30/0/threaded]
<br> <br>A future Apache Geronimo 2.2.1 release will include an upgrade to Spring
Framework v2.5.6.SEC02.  <br> <br>At the current time, there are no known exposures
in the Geronimo server due to this exploit, but applications using the included version of
the Spring Framework may be vulnerable.  An immediate workaround is to manually patch the
server with the updated version of the Spring Framework.  Instructions for patching an existing
release can be found here:  <br> <br>* [Geronimo Geronimo 2.1.x and 2.2.x Spring
Framework SEC02 Patch Instructions|https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.1.x+and+2.2.x+Spring+Framework+SEC02+Patch+Instructions]
<br> <br>JIRA:  [GERONIMO-5387|http://issues.apache.org/jira/browse/GERONIMO-5387]
<br>Affects:  2.2 <br> <br> <br></td></tr>
            <tr><td class="diff-unchanged" >\\ <br> <br></td></tr>
        </table>
</div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h2><a name="2.2.xSecurityReport-ApacheGeronimo2.2.xvulnerabilities"></a>Apache
Geronimo 2.2.x vulnerabilities</h2>

<p>This page lists all security vulnerabilities fixed in maintenance releases or interim
builds of Apache Geronimo 2.2. Each vulnerability is given a security impact rating by either
the Apache Geronimo team or by the dependent project supplying the fix - please note that
this rating is not uniform and will vary from project to project. We also list the versions
of Apache Geronimo the flaw is known to affect, and where a flaw has not been verified list
the version with a question mark.</p>

<p>Please send comments or corrections for these vulnerabilities to the <a href="mailto:security@geronimo.apache.org"
class="external-link" rel="nofollow">Geronimo Security mailing list</a>.</p>

<p><br class="atl-forced-newline" /></p>

<p><br class="atl-forced-newline" /></p>

<h2><a name="2.2.xSecurityReport-KnownVulnerabilities"></a>Known Vulnerabilities</h2>

<h3><a name="2.2.xSecurityReport-GeronimoServer%3A"></a>Geronimo Server:</h3>
<h4><a name="2.2.xSecurityReport-CVE20101632andCVE20102076%3AAxis2andCXFHTTPbindingenablesDTDbasedXMLattacks."></a>CVE-2010-1632
and CVE-2010-2076: Axis2 and CXF HTTP binding enables DTD based XML attacks.  </h4>
<p>A vulnerability was found in both the Axis2 and CXF web services runtime that can
allow an attacker to determine the presence of files on a target server and potentially extract
the content of the target files.  This affects all Geronimo assemblies that include the Axis2
or CXF runtimes, in particular, the javaee5 Jetty and Tomcat assemblies.  Details of the vulnerabilities
can be found in the following Axis2 and CXF security alerts:</p>

<ul>
	<li><a href="https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf"
class="external-link" rel="nofollow">https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf</a></li>
	<li><a href="https://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf"
class="external-link" rel="nofollow">https://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf</a></li>
</ul>


<p>The CXF vulnerabilities are fixed in CXF 2.1.10.  The Axis2 vulnerability will be
fixed in Axis2 1.5.2 and Axiom 1.2.9.  The Axis2 and Axiom releases are not yet available,
but patch versions can be built from the project source trees.  The updated versions will
be included in an upcoming Apache Geronimo 2.2.1 release. </p>

<p>As an immediate workaround, you can disable the web services runtime or manually
patch the server with updated versions of the runtime.  Instructions for disabling the web
services runtime or patching an existing release can be found here: </p>

<ul>
	<li><a href="/confluence/display/GMOxSITE/Geronimo+2.2.x+CVE-2010-1632+Patch+Instructions"
title="Geronimo 2.2.x CVE-2010-1632 Patch Instructions">Geronimo 2.2.x CVE-2010-1632 Patch
Instructions</a></li>
</ul>


<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-5383" class="external-link"
rel="nofollow">GERONIMO-5383</a><br/>
Affects:  2.2</p>

<h3><a name="2.2.xSecurityReport-GeronimoServer%3A"></a>Geronimo Server:</h3>
<h4><a name="2.2.xSecurityReport-CVE20101622%3ASpringFrameworkexecutionofarbitrarycode"></a>CVE-2010-1622:
Spring Framework execution of arbitrary code</h4>
<p>The Spring Framework provides a mechanism to use client provided data to update the
properties of an object. This mechanism allows an attacker to modify the properties of the
class loader used to load the object (via 'class.classloader'). This can lead to arbitrary
command execution since, for example, an attacker can modify the URLs used by the class loader
to point to locations controlled by the attacker.  Details of this vulnerability can be found
here:</p>

<ul>
	<li><a href="http://www.securityfocus.com/archive/1/511877/30/0/threaded" class="external-link"
rel="nofollow">http://www.securityfocus.com/archive/1/511877/30/0/threaded</a></li>
</ul>


<p>A future Apache Geronimo 2.2.1 release will include an upgrade to Spring Framework
v2.5.6.SEC02. </p>

<p>At the current time, there are no known exposures in the Geronimo server due to this
exploit, but applications using the included version of the Spring Framework may be vulnerable.
 An immediate workaround is to manually patch the server with the updated version of the Spring
Framework.  Instructions for patching an existing release can be found here: </p>

<ul>
	<li><a href="https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.1.x+and+2.2.x+Spring+Framework+SEC02+Patch+Instructions"
class="external-link" rel="nofollow">Geronimo Geronimo 2.1.x and 2.2.x Spring Framework
SEC02 Patch Instructions</a></li>
</ul>


<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-5387" class="external-link"
rel="nofollow">GERONIMO-5387</a><br/>
Affects:  2.2</p>


<p><br class="atl-forced-newline" /></p>

    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/GMOxSITE/2.2.x+Security+Report">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=93185&revisedVersion=4&originalVersion=3">View
Changes</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message