geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo > Geronimo 2.1.x and 2.2.x Spring Framework SEC02 Patch Instructions
Date Wed, 07 Jul 2010 11:57:01 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=GMOxSITE&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.1.x+and+2.2.x+Spring+Framework+SEC02+Patch+Instructions">Geronimo
2.1.x and 2.2.x Spring Framework SEC02 Patch Instructions</a></h2>
    <h4>Page  <b>added</b> by             <a href="https://cwiki.apache.org/confluence/display/~rickmcguire">Rick
McGuire</a>
    </h4>
         <br/>
    <div class="notificationGreySide">
         <h1><a name="Geronimo2.1.xand2.2.xSpringFrameworkSEC02PatchInstructions-Geronimo2.1.xandGeronimo2.2PatchInstructionsforSpringFrameworkSEC02Vulnerability."></a>Geronimo
2.1.x and Geronimo 2.2 Patch Instructions for Spring Framework SEC02 Vulnerability. </h1>
<p>The Spring Framework project has recently discovered a security vulnerability which
may allow a remote attacker to inject malicious code into an application that is using the
Spring Framework.  For more information on this security vulnerability kindly refer the following
document:</p>
<ul>
	<li><a href="http://www.securityfocus.com/archive/1/511877/30/0/threaded" class="external-link"
rel="nofollow">http://www.securityfocus.com/archive/1/511877/30/0/threaded</a></li>
</ul>


<h2><a name="Geronimo2.1.xand2.2.xSpringFrameworkSEC02PatchInstructions-HowisApacheGeronimoAffected%3F"></a>How
is Apache Geronimo Affected?</h2>

<p>Apache Geronimo uses the Spring Framework to implement some functions in the ActiveMQ
console and the vulnerable Spring libraries are included in the Geronimo jar repository. 
It is not believed that the console application is vulnerable to this attack, but any application
that is using the included version of the Spring framework might be.  Users are advised to
update the version of the Spring libraries to remove the chance that this exploit can be used.
</p>

<p>These issues have been fixed in Spring Framework version 2.5.6.SEC02.  </p>

<h2><a name="Geronimo2.1.xand2.2.xSpringFrameworkSEC02PatchInstructions-HowcanIavoidthesevulnerabilitiesinApacheGeronimo%3F"></a>How
can I avoid these vulnerabilities in Apache Geronimo?</h2>

<p>It is recommended that you move to Apache Geronimo v2.1.6 or v2.2.1.  These versions
include the updated Spring libraries. </p>

<p>If you wish to remain on an existing version of Geronimo, the installation can be
patched to avoid the vulnerability.  The following steps will upgrade the Spring framework
libraries used by the server. </p>

<ul>
	<li>If your server is running stop the server.</li>
	<li>Make a backup of the directory &lt;G_HOME&gt;/repository/org/springframework/.
 Once done, delete the directory &lt;G_HOME&gt;/repository/org/springframe/</li>
	<li>Download the 2.5.6.SEC02 version of all jars present in the springframework repository
directory from <a href="http://repo1.maven.org/maven2/org/springframework/" class="external-link"
rel="nofollow">http://repo1.maven.org/maven2/org/springframework/</a>.  For example,
spring-beans-s.5.6.SEC02.jar can be downloaded from <a href="http://repo1.maven.org/maven2/org/springframework/spring-beans/2.5.6.SEC02/"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/springframework/spring-beans/2.5.6.SEC02/</a>.
 The following jars are required:
	<ul>
		<li><a href="http://repo1.maven.org/maven2/org/springframework/spring-context/2.5.6.SEC02/spring-beans-2.5.6.SEC02.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/springframework/spring-context/2.5.6.SEC02/spring-beans-2.5.6.SEC02.jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/springframework/spring-context/2.5.6.SEC02/spring-context-2.5.6.SEC02.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/springframework/spring-context/2.5.6.SEC02/spring-context-2.5.6.SEC02.jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/springframework/spring-core/2.5.6.SEC02/spring-core-2.5.6.SEC02.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/springframework/spring-core/2.5.6.SEC02/spring-core-2.5.6.SEC02.jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/springframework/spring-web/2.5.6.SEC02/spring-web-2.5.6.SEC02.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/springframework/spring-web/2.5.6.SEC02/spring-web-2.5.6.SEC02.jar</a></li>
	</ul>
	</li>
</ul>


<ul>
	<li>Copy all the jars according to the original repository directory structure. For
example, copy spring-beans-2.5.6.SEC02.jar to &lt;G_HOME&gt;/repository/org/springframework/spring-beans/2.5.6-SEC02</li>
	<li>Open the &lt;G_HOME&gt;/var/config/artifact_aliases.properties in edit
mode and add the following entries:
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
<pre>org.springframework/spring-beans/2.5.6/jar=org.springframework/spring-beans/2.5.6-SEC02/jar
org.springframework/spring-context/2.5.6/jar=org.springframework/spring-context/2.5.6-SEC02/jar
org.springframework/spring-core/2.5.6/jar=org.springframework/spring-core/2.5.6-SEC02/jar
org.springframework/spring-web/2.5.6/jar=org.springframework/spring-web/2.5.6-SEC02/jar
</pre>
</div></div></li>
	<li>Start the server.</li>
</ul>

    </div>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>
       <a href="https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.1.x+and+2.2.x+Spring+Framework+SEC02+Patch+Instructions">View
Online</a>
           </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message