geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo > Geronimo 2.2.x CVE-2010-1632 Patch Instructions
Date Wed, 07 Jul 2010 11:40:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=GMOxSITE&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.2.x+CVE-2010-1632+Patch+Instructions">Geronimo
2.2.x CVE-2010-1632 Patch Instructions</a></h2>
    <h4>Page  <b>added</b> by             <a href="https://cwiki.apache.org/confluence/display/~rickmcguire">Rick
McGuire</a>
    </h4>
         <br/>
    <div class="notificationGreySide">
         <h1><a name="Geronimo2.2.xCVE-2010-1632PatchInstructions-Geronimo2.1.xPatchInstructionsforCVE20101632andCVE20102076"></a>Geronimo
2.1.x Patch Instructions for CVE-2010-1632 and CVE-2010-2076</h1>

<p>The Axis2 team has recently discovered a security vulnerability which may allow a
remote attacker to launch a denial of service attack. It is also possible for the attacker
to steal information from the machine which is running the web services. For more information
on this security vulnerability please refer the following document:</p>

<ul>
	<li><a href="https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf"
class="external-link" rel="nofollow">https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf</a></li>
</ul>


<p>A similar vulnerability is found in the Apache CXF web services runtime as well.
 The CXF vulnerability is documented in the following document:</p>

<ul>
	<li><a href="https://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf"
class="external-link" rel="nofollow">https://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf</a></li>
</ul>


<h2><a name="Geronimo2.2.xCVE-2010-1632PatchInstructions-HowisApacheGeronimoAffected%3F"></a>How
is Apache Geronimo Affected?</h2>

<p>Apache Geronimo includes Apache Axis2 and Apache CXF as the web services runtimes.
As a result, web services running on Apache Geronimo are vulnerable to this security issue.</p>

<p>These issues have been fixed in Apache CXF v2.1.10, Apache Axis2 v1.5.2, and Axiom
v1.2.9.  </p>

<h2><a name="Geronimo2.2.xCVE-2010-1632PatchInstructions-HowcanIavoidthesevulnerabilitiesinApacheGeronimo%3F"></a>How
can I avoid these vulnerabilities in Apache Geronimo?</h2>

<p>These vulnerabilities will be fixed in a future Geronimo v2.2.1 release that will
be available once the axis2 1.5.2 and axiom 1.2.9 releases are available.  Until the new releases
are available, the web services support can be disabled or the release can be patched with
updated axis2 and axiom components. </p>

<p>If you are not using the web services support, you can explicitly disable the web
services to remove the vulnerability.  To disable all web services, make the following <br/>
updates to &lt;GERONIMO_HOME&gt;/var/config/config.xml file:</p>
<ol>
	<li>Remove the condition attribute and add the load="false"  attribute to org.apache.geronimo.configs/cxf-deployer//car
module.</li>
	<li>Remove the condition attribute and add the load="false" attribute to org.apache.geronimo.configs/axis2-deployer//car
module.</li>
</ol>


<p>If you still require web services access, the following steps will upgrade the Axis2
and CXF versions used by the server. </p>

<h3><a name="Geronimo2.2.xCVE-2010-1632PatchInstructions-UpgradingAxis2andCXFonanexistingserver"></a>Upgrading
Axis2 and CXF on an existing server</h3>

<h4><a name="Geronimo2.2.xCVE-2010-1632PatchInstructions-UpgradingAxis2"></a>Upgrading
Axis2</h4>

<p>Follow these steps if you are using Apache Axis2 as the web services runtime in Geronimo
v2.2.  By default, the Geronimo Tomcat assembly uses Axis2 as the web services runtime.</p>

<p>This vulnerability will be fixed in the axiom 1.2.9 and axis2 1.5.2 releases, which
are not yet available.  Patching the Geronimo server requires building these components from
source. </p>

<ul>
	<li>If your server is running stop the server.</li>
	<li>Make a backup of the directories &lt;GERONIMO_HOME&gt;/repository/org/apache/axis2/
and &lt;GERONIMO_HOME&gt;/repository/org/apache/ws/commons/axiom/.  Once done, delete
the directories &lt;GERONIMO_HOME&gt;/repository/org/apache/axis2/ and &lt;GERONIMO_HOME&gt;/repository/org/apache/ws/commons/axiom/.</li>
	<li>Checkout the axiom 1.2.9 source from the svn repository and build the axiom release:
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
<pre>            
svn co http://svn.apache.org/repos/asf/webservices/commons/tags/axiom/1.2.9/ axiom
cd axiom 
mvn clean install 
</pre>
</div></div>                 </li>
	<li>Copy the 1.2.9 version of all jars from the build to the original directory structure.
 For example, axiom-api-1.2.9.jar can be copied from axiom/modules/axiom-api/target/.  The
following jars are required:
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
<pre>            
axiom/modules/axiom-api/target/axiom-api-1.2.9.jar
axiom/modules/axiom-dom/target/axiom-dom-1.2.9.jar
axiom/modules/axiom-impl/target/axiom-impl-1.2.9.jar
</pre>
</div></div>            </li>
	<li>Checkout revision 952842 from the axis2 trunk and rebuild the axis2 release:
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
<pre>            
svn co https://svn.apache.org/repos/asf/axis/axis2/java/core/trunk@952842 axis2
cd axis2
mvn clean install -Dmaven.test.skip=true 
</pre>
</div></div>            </li>
	<li>Copy the SNAPSHOT version of all jars present in the axis2 repository directory
to the original directory structure, renaming the jar versions from * -SNAPSHOT to * -1.5.2-r952842.
For example, axis2-kernel-SNAPSHOT.jar should be copied from axis2/modules/kernel/target/axis2-kernel-SNAPSHOT.jar
to &lt;GERONIMO_HOME&gt;//repository/org/apache/axis2/axis2-kernel/1.5.2-r952842/axis2-kernel-1.5.2-r952842.jar.
 The following jars are required:
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
<pre>            
axis2/modules/jaxws/target/axis2-jaxws-SNAPSHOT.jar
axis2/modules/kernel/target/axis2-kernel-SNAPSHOT.jar
axis2/modules/metadata/target/axis2-metadata-SNAPSHOT.jar
axis2/modules/saaj/target/axis2-saaj-SNAPSHOT.jar
axis2/modules/transport/http/target/axis2-transport-http-SNAPSHOT.jar
axis2/modules/transport/local/target/axis2-transport-local-SNAPSHOT.jar
</pre>
</div></div>            </li>
	<li>Open the &lt;GERONIMO_HOME&gt;/var/config/artifact_aliases.properties in
edit mode and add the following entries:
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
<pre>            
org.apache.axis2/axis2-jaxws/1.5/jar=org.apache.axis2/axis2-jaxws/1.5.2-r952842/jar
org.apache.axis2/axis2-kernel/1.5/jar=org.apache.axis2/axis2-kernel/1.5.2-r952842/jar
org.apache.axis2/axis2-metadata/1.5/jar=org.apache.axis2/axis2-metadata/1.5.2-r952842/jar
org.apache.axis2/axis2-saaj/1.5/jar=org.apache.axis2/axis2-saaj/1.5.2-r952842/jar
org.apache.axis2/axis2-transport-http/1.5/jar=org.apache.axis2/axis2-transport-http/1.5.2-r952842/jar
org.apache.axis2/axis2-transport-local/1.5/jar=org.apache.axis2/axis2-transport-local/1.5.2-r952842/jar
org.apache.axis2/axis2-jaxws//jar=org.apache.axis2/axis2-jaxws/1.5.2-r952842/jar
org.apache.axis2/axis2-kernel//jar=org.apache.axis2/axis2-kernel/1.5.2-r952842/jar
org.apache.axis2/axis2-metadata//jar=org.apache.axis2/axis2-metadata/1.5.2-r952842/jar
org.apache.axis2/axis2-saaj//jar=org.apache.axis2/axis2-saaj/1.5.2-r952842/jar
org.apache.axis2/axis2-transport-http//jar=org.apache.axis2/axis2-transport-http/1.5.2-r952842/jar
org.apache.axis2/axis2-transport-local//jar=org.apache.axis2/axis2-transport-local/1.5.2-r952842/jar
org.apache.ws.commons.axiom/axiom-api/1.2.8/jar=org.apache.ws.commons.axiom/axiom-api/1.2.9/jar
org.apache.ws.commons.axiom/axiom-dom/1.2.8/jar=org.apache.ws.commons.axiom/axiom-dom/1.2.9/jar
org.apache.ws.commons.axiom/axiom-impl/1.2.8/jar=org.apache.ws.commons.axiom/axiom-impl/1.2.9/jar
org.apache.ws.commons.axiom/axiom-api//jar=org.apache.ws.commons.axiom/axiom-api/1.2.9/jar
org.apache.ws.commons.axiom/axiom-dom//jar=org.apache.ws.commons.axiom/axiom-dom/1.2.9/jar
org.apache.ws.commons.axiom/axiom-impl//jar=org.apache.ws.commons.axiom/axiom-impl/1.2.9/jar
</pre>
</div></div>            </li>
	<li>Start the server.</li>
</ul>


<h4><a name="Geronimo2.2.xCVE-2010-1632PatchInstructions-UpgradingCXF"></a>Upgrading
CXF</h4>

<p>Follow these steps if you are using Apache CXF as the web services runtime in Apache
Geronimo v2.2. By default, the Geronimo Jetty assembly uses CXF as the web services runtime.</p>
<ul>
	<li>If your server is running, stop the server.</li>
	<li>Make a backup of &lt;GERONIMO_HOME&gt;/repository/org/apache/cxf directory.
Once done, delete the directory &lt;GERONIMO_HOME&gt;/repository/org/apache/cxf.</li>
	<li>Download the 2.1.10 version of all jars present in the cxf repository directory
from <a href="http://repo1.maven.org/maven2/org/apache/cxf/" class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/</a>.
For example, cxf-common-utilities-2.1.10.jar can be downloaded from <a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-common-utilities/2.1.10/"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-common-utilities/2.1.10/</a>.
The following jars are required:
	<ul>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-api/2.1.10/cxf-api-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-api/2.1.10/cxf-api-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-common-utilities/2.1.10/cxf-common-utilities-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-common-utilities/2.1.10/cxf-common-utilities-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-bindings-soap/2.1.10/cxf-rt-bindings-soap-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-bindings-soap/2.1.10/cxf-rt-bindings-soap-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-bindings-xml/2.1.10/cxf-rt-bindings-xml-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-bindings-xml/2.1.10/cxf-rt-bindings-xml-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-core/2.1.10/cxf-rt-core-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-core/2.1.10/cxf-rt-core-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-databinding-jaxb/2.1.10/cxf-rt-databinding-jaxb-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-databinding-jaxb/2.1.10/cxf-rt-databinding-jaxb-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-frontend-jaxws/2.1.10/cxf-rt-frontend-jaxws-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-frontend-jaxws/2.1.10/cxf-rt-frontend-jaxws-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-frontend-simple/2.1.10/cxf-rt-frontend-simple-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-frontend-simple/2.1.10/cxf-rt-frontend-simple-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-transports-http/2.1.10/cxf-rt-transports-http-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-transports-http/2.1.10/cxf-rt-transports-http-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-ws-addr/2.1.10/cxf-rt-ws-addr-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-ws-addr/2.1.10/cxf-rt-ws-addr-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-ws-security/2.1.10/cxf-rt-ws-security-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-ws-security/2.1.10/cxf-rt-ws-security-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-common/2.1.10/cxf-tools-common-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-common/2.1.10/cxf-tools-common-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-java2ws/2.1.10/cxf-tools-java2ws-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-java2ws/2.1.10/cxf-tools-java2ws-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-validator/2.1.10/cxf-tools-validator-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-validator/2.1.10/cxf-tools-validator-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-wsdlto-core/2.1.10/cxf-tools-wsdlto-core-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-wsdlto-core/2.1.10/cxf-tools-wsdlto-core-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-wsdlto-databinding-jaxb/2.1.10/cxf-tools-wsdlto-databinding-jaxb-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-wsdlto-databinding-jaxb/2.1.10/cxf-tools-wsdlto-databinding-jaxb-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-wsdlto-frontend-jaxws/2.1.10/cxf-tools-wsdlto-frontend-jaxws-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-wsdlto-frontend-jaxws/2.1.10/cxf-tools-wsdlto-frontend-jaxws-2.1.10-jar</a></li>
	</ul>
	</li>
</ul>


<ul>
	<li>Copy all the jars according to the original repository directory structure. For
example, copy cxf-common-utilities-2.1.10.jar to &lt;GERONIMO_HOME&gt;/repository/org/apache/cxf/cxf-common-utilities/2.1.10/</li>
	<li>Launch &lt;GERONIMO_HOME&gt;/var/config/artifact-aliases.properties in
edit mode and add the following entries:
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
<pre>            
org.apache.cxf/cxf-api/2.1.4/jar=org.apache.cxf/cxf-api/2.1.10/jar
org.apache.cxf/cxf-common-schemas/2.1.4/jar=org.apache.cxf/cxf-common-schemas/2.1.10/jar
org.apache.cxf/cxf-common-utilities/2.1.4/jar=org.apache.cxf/cxf-common-utilities/2.1.10/jar
org.apache.cxf/cxf-rt-bindings-soap/2.1.4/jar=org.apache.cxf/cxf-rt-bindings-soap/2.1.10/jar
org.apache.cxf/cxf-rt-bindings-xml/2.1.4/jar=org.apache.cxf/cxf-rt-bindings-xml/2.1.10/jar
org.apache.cxf/cxf-rt-core/2.1.4/jar=org.apache.cxf/cxf-rt-core/2.1.10/jar
org.apache.cxf/cxf-rt-databinding-jaxb/2.1.4/jar=org.apache.cxf/cxf-rt-databinding-jaxb/2.1.10/jar
org.apache.cxf/cxf-rt-frontend-jaxws/2.1.4/jar=org.apache.cxf/cxf-frontend-jaxws/2.1.10/jar
org.apache.cxf/cxf-rt-frontend-simple/2.1.4/jar=org.apache.cxf/cxf-frontend-simple/2.1.10/jar
org.apache.cxf/cxf-rt-transports-http/2.1.4/jar=org.apache.cxf/cxf-transports-http/2.1.10/jar
org.apache.cxf/cxf-rt-ws-addr/2.1.4/jar=org.apache.cxf/cxf-rt-ws-addr/2.1.10/jar
org.apache.cxf/cxf-rt-ws-security/2.1.4/jar=org.apache.cxf/cxf-rt-ws-security/2.1.10/jar
org.apache.cxf/cxf-tools-common/2.1.4/jar=org.apache.cxf/cxf-tools-common/2.1.10/jar
org.apache.cxf/cxf-tools-java2ws/2.1.4/jar=org.apache.cxf/cxf-tools-java2ws/2.1.10/jar
org.apache.cxf/cxf-tools-validator/2.1.4/jar=org.apache.cxf/cxf-tools-validator/2.1.10/jar
org.apache.cxf/cxf-tools-wsdlto-core/2.1.4/jar=org.apache.cxf/cxf-tools-wsdlto-core/2.1.10/jar
org.apache.cxf/cxf-tools-wsdlto-databinding-jaxb/2.1.4/jar=org.apache.cxf/cxf-tools-wsdlto-databinding-jaxb/2.1.10/jar
org.apache.cxf/cxf-tools-wsdlto-frontend-jaxws/2.1.4/jar=org.apache.cxf/cxf-tools-wsdlto-frontend-jaxws/2.1.10/jar
org.apache.cxf/cxf-api//jar=org.apache.cxf/cxf-api/2.1.10/jar
org.apache.cxf/cxf-common-schemas//jar=org.apache.cxf/cxf-common-schemas/2.1.10/jar
org.apache.cxf/cxf-common-utilities//jar=org.apache.cxf/cxf-common-utilities/2.1.10/jar
org.apache.cxf/cxf-rt-bindings-soap//jar=org.apache.cxf/cxf-rt-bindings-soap/2.1.10/jar
org.apache.cxf/cxf-rt-bindings-xml//jar=org.apache.cxf/cxf-rt-bindings-xml/2.1.10/jar
org.apache.cxf/cxf-rt-core//jar=org.apache.cxf/cxf-rt-core/2.1.10/jar
org.apache.cxf/cxf-rt-databinding-jaxb//jar=org.apache.cxf/cxf-rt-databinding-jaxb/2.1.10/jar
org.apache.cxf/cxf-rt-frontend-jaxws//jar=org.apache.cxf/cxf-frontend-jaxws/2.1.10/jar
org.apache.cxf/cxf-rt-frontend-simple//jar=org.apache.cxf/cxf-frontend-simple/2.1.10/jar
org.apache.cxf/cxf-rt-transports-http//jar=org.apache.cxf/cxf-transports-http/2.1.10/jar
org.apache.cxf/cxf-rt-ws-addr//jar=org.apache.cxf/cxf-rt-ws-addr/2.1.10/jar
org.apache.cxf/cxf-rt-ws-security//jar=org.apache.cxf/cxf-rt-ws-security/2.1.10/jar
org.apache.cxf/cxf-tools-common//jar=org.apache.cxf/cxf-tools-common/2.1.10/jar
org.apache.cxf/cxf-tools-java2ws//jar=org.apache.cxf/cxf-tools-java2ws/2.1.10/jar
org.apache.cxf/cxf-tools-validator//jar=org.apache.cxf/cxf-tools-validator/2.1.10/jar
org.apache.cxf/cxf-tools-wsdlto-core//jar=org.apache.cxf/cxf-tools-wsdlto-core/2.1.10/jar
org.apache.cxf/cxf-tools-wsdlto-databinding-jaxb//jar=org.apache.cxf/cxf-tools-wsdlto-databinding-jaxb/2.1.10/jar
org.apache.cxf/cxf-tools-wsdlto-frontend-jaxws//jar=org.apache.cxf/cxf-tools-wsdlto-frontend-jaxws/2.1.10/jar
</pre>
</div></div>            </li>
	<li>Start the server</li>
</ul>




    </div>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>
       <a href="https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.2.x+CVE-2010-1632+Patch+Instructions">View
Online</a>
           </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message