geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo > 2.1.x Security Report
Date Wed, 07 Jul 2010 09:46:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=GMOxSITE&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/GMOxSITE/2.1.x+Security+Report">2.1.x
Security Report</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~rickmcguire">Rick
McGuire</a>
    </h4>
        <br/>
                         <h4>Changes (1)</h4>
                                 
    
<div id="page-diffs">
            <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>h2. Fixed in Geronimo 2.1.5
{anchor:215} <br></td></tr>
            <tr><td class="diff-changed-lines" >Please visit the [2.1.5 Release
<span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">Notes|http://cwiki.apache.org/confluence/display/GMOxDOC21/RELEASE-NOTES-2.1.4.TXT]]</span>
<span class="diff-added-words"style="background-color: #dfd;">Notes|http://cwiki.apache.org/confluence/display/GMOxDOC21/RELEASE-NOTES-2.1.5.TXT]</span>
page for details on all of the included JIRAs. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>*None at this time.* <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
        </table>
</div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h2><a name="2.1.xSecurityReport-ApacheGeronimo2.1.xvulnerabilities"></a>Apache
Geronimo 2.1.x vulnerabilities</h2>

<p>This page lists all security vulnerabilities fixed in maintenance releases or interim
builds of Apache Geronimo 2.1. Each vulnerability is given a security impact rating by either
the Apache Geronimo team or by the dependent project supplying the fix - please note that
this rating is not uniform and will vary from project to project. We also list the versions
of Apache Geronimo the flaw is known to affect, and where a flaw has not been verified list
the version with a question mark.</p>

<p>Please send comments or corrections for these vulnerabilities to the <a href="mailto:security@geronimo.apache.org"
class="external-link" rel="nofollow">Geronimo Security mailing list</a>.</p>

<ul>
	<li><a href="#2.1.xSecurityReport-215">Apache Geronimo 2.1.5</a></li>
	<li><a href="#2.1.xSecurityReport-214">Apache Geronimo 2.1.4</a></li>
	<li><a href="#2.1.xSecurityReport-213">Apache Geronimo 2.1.3</a></li>
	<li><a href="#2.1.xSecurityReport-212">Apache Geronimo 2.1.2</a></li>
	<li><a href="#2.1.xSecurityReport-211">Apache Geronimo 2.1.1</a></li>
</ul>


<p><br class="atl-forced-newline" /></p>

<h2><a name="2.1.xSecurityReport-OtherKnownVulnerabilities"></a>Other Known
Vulnerabilities</h2>

<p><b>None at this time.</b></p>

<p><br class="atl-forced-newline" /></p>

<h2><a name="2.1.xSecurityReport-FixedinGeronimo2.1.5"></a>Fixed in Geronimo
2.1.5 <a name="2.1.xSecurityReport-215"></a></h2>
<p>Please visit the <a href="http://cwiki.apache.org/confluence/display/GMOxDOC21/RELEASE-NOTES-2.1.5.TXT"
class="external-link" rel="nofollow">2.1.5 Release Notes</a> page for details on
all of the included JIRAs.</p>

<p><b>None at this time.</b></p>


<p><br class="atl-forced-newline" /></p>

<h2><a name="2.1.xSecurityReport-FixedinGeronimo2.1.4"></a>Fixed in Geronimo
2.1.4 <a name="2.1.xSecurityReport-214"></a></h2>
<p>Please visit the <a href="http://cwiki.apache.org/confluence/display/GMOxDOC21/RELEASE-NOTES-2.1.4.TXT"
class="external-link" rel="nofollow">2.1.4 Release Notes</a> page for details on
all of the included JIRAs.</p>

<h3><a name="2.1.xSecurityReport-GeronimoServer"></a>Geronimo Server</h3>
<p>Included patch to close potential denial of service attack vector (OOM) in Tomcat
session handling</p>

<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-3838" class="external-link"
rel="nofollow">GERONIMO-3838</a><br/>
Affects:  2.1-2.1.3</p>

<h3><a name="2.1.xSecurityReport-GeronimoAdminConsole%3A"></a>Geronimo Admin
Console:</h3>
<h4><a name="2.1.xSecurityReport-CVE20085518%3AApacheGeronimowebadministrationconsoledirectorytraversalvulnerabilities."></a>CVE-2008-5518:
Apache Geronimo web administration console directory traversal vulnerabilities.</h4>
<p>A vulnerability was found in several portlets including Services/Repository, Embedded
DB/DB Manager, and Security/Keystores when running the Apache Geronimo server on Windows.
This issue may allow a remote attacker to upload any file in any directory.  This affects
all full JavaEE Geronimo assemblies or other distributions which include the administration
web console up to and including Apache Geronimo 2.1.3. An alternative workaround (if you choose
to not upgrade to Apache Geronimo 2.1.4) would be to stop or undeploy the administration web
console application in the server.<br/>
Credit: The Apache Geronimo project would like to thank Digital Security Research Group (dsecrg.com)
for responsibly reporting this issue and assisting us with validating  our fixes.</p>

<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-4597" class="external-link"
rel="nofollow">GERONIMO-4597</a><br/>
Affects:  2.1-2.1.3</p>

<h4><a name="2.1.xSecurityReport-CVE20090038%3AApacheGeronimowebadministrationconsoleXSSvulnerabilities"></a>CVE-2009-0038:
Apache Geronimo web administration console XSS vulnerabilities</h4>
<p>Various linked and stored cross-site scripting (XSS) vulnerabilities were found in
the Apache Geronimo administrative console and related utilities.  Using this vulnerability
an attacker can steal an administrator's cookie and then authenticate as administrator or
perform certain administrative actions. For example, a user can inject XSS in some URLs or
in several input fields in various portlets.  This affects all full JavaEE Geronimo assemblies
or other distributions which include the administration web console up to and including Apache
Geronimo 2.1.3.  An alternative workaround (if you choose to not upgrade to Apache Geronimo
2.1.4) would be to stop or undeploy the administration web console application in the server.<br/>
Credit: The Apache Geronimo project would like to thank Digital Security Research Group (dsecrg.com)
and Marc Schoenefeld (Red Hat Security Response Team) for responsibly reporting this issue
and assisting us with validating our fixes.</p>

<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-4597" class="external-link"
rel="nofollow">GERONIMO-4597</a><br/>
Affects:  2.1-2.1.3</p>


<h4><a name="2.1.xSecurityReport-CVE20090039%3AApacheGeronimowebadministrationconsoleXSRFvulnerabilities"></a>CVE-2009-0039:
Apache Geronimo web administration console XSRF vulnerabilities</h4>
<p>Various cross-site request forgery (XSRF or CSRF) vulnerabilities were identified
in the Apache Geronimo web administration console. Exploiting these issues may allow a remote
attacker to perform certain administrative actions, e.g. change web administration password,
upload applications, etc... using predictable URL requests once the user has authenticated
and obtained a valid session with the server.  This affects all full JavaEE Geronimo assemblies
or other distributions which include the administration web console up to and including Apache
Geronimo 2.1.3.  An alternative workaround (if you choose to not upgrade to Apache Geronimo
2.1.4) would be to stop or undeploy the administration web console application in the server.<br/>
Credit: The Apache Geronimo project would like to thank Digital Security Research Group (dsecrg.com)
for responsibly reporting this issue and assisting us with validating our fixes. </p>

<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-4597" class="external-link"
rel="nofollow">GERONIMO-4597</a><br/>
Affects:  2.1-2.1.3</p>


<p><br class="atl-forced-newline" /></p>

<h2><a name="2.1.xSecurityReport-FixedinGeronimo2.1.3"></a>Fixed in Geronimo
2.1.3 <a name="2.1.xSecurityReport-213"></a></h2>
<p>Please visit the <a href="http://cwiki.apache.org/confluence/display/GMOxDOC21/RELEASE-NOTES-2.1.3.TXT"
class="external-link" rel="nofollow">2.1.3 Release Notes</a> page for details on
all of the included JIRAs.</p>

<h3><a name="2.1.xSecurityReport-DWR"></a>DWR</h3>
<p>Upgraded from DWR 2.0.3 to 2.0.5 to include the following security fixes -</p>
<ul>
	<li><a href="http://directwebremoting.org/dwr/changelog/dwr20" class="external-link"
rel="nofollow">DWR version 2.0.5 fixed 1 XSS vulnerabilities in r2077</a>
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
<pre>r2077 | joe | 2008-06-22 09:28:22 -0400 (Sun, 22 Jun 2008) | 7 lines

Fix for XSS issue in ExceptionHandler:

PartialResponse.fromOrdinal() throws a NumberFormatException trying to
parse the 'partialResponse' parameter.  This exception is never caught,
prompting UrlProcessor to invoke DWR's default ExceptionHandler class,
which calls out.println(cause.getMessage()), thereby causing the XSS.
</pre>
</div></div></li>
</ul>


<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-4266" class="external-link"
rel="nofollow">GERONIMO-4266</a><br/>
Affects:  2.1-2.1.2</p>

<h3><a name="2.1.xSecurityReport-ActiveMQ"></a>ActiveMQ</h3>
<p>Included ActiveMQ patch for the following security exposure -</p>
<ul>
	<li><a href="https://issues.apache.org/activemq/browse/AMQ-1272" class="external-link"
rel="nofollow">AMQ-1272</a> - Stomp protocol does not correctly check authentication
(security hole)</li>
</ul>


<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-4262" class="external-link"
rel="nofollow">GERONIMO-4262</a><br/>
Affects:  2.1-2.1.2</p>

<h3><a name="2.1.xSecurityReport-Tomcat"></a>Tomcat</h3>
<p>Upgraded from Tomcat 6.0.16 to 6.0.18 to include the following security fixes -</p>
<ul>
	<li>low: Cross-site scripting <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232"
class="external-link" rel="nofollow">CVE-2008-1232</a></li>
	<li>low: Cross-site scripting <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947"
class="external-link" rel="nofollow">CVE-2008-1947</a></li>
	<li>important: Information disclosure <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370"
class="external-link" rel="nofollow">CVE-2008-2370</a></li>
	<li>moderate: Directory traversal <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938"
class="external-link" rel="nofollow">CVE-2008-2938</a></li>
</ul>


<p>For more details on each fix, please visit the <a href="http://tomcat.apache.org/security-6.html"
class="external-link" rel="nofollow">Tomcat 6.x Security</a> page.</p>

<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-4245" class="external-link"
rel="nofollow">GERONIMO-4245</a><br/>
Affects:  2.1-2.1.2</p>

<p><br class="atl-forced-newline" /></p>

<h2><a name="2.1.xSecurityReport-FixedinGeronimo2.1.2"></a>Fixed in Geronimo
2.1.2 <a name="2.1.xSecurityReport-212"></a></h2>

<h3><a name="2.1.xSecurityReport-DWR"></a>DWR</h3>
<p>Upgraded from DWR 2.0.1 to 2.0.3 to include the following security fixes -</p>
<ul>
	<li><a href="http://directwebremoting.org/dwr/changelog/dwr20" class="external-link"
rel="nofollow">DWR version 2.0.1 and before contained 2 XSS vulnerabilities.</a></li>
</ul>


<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-4116" class="external-link"
rel="nofollow">GERONIMO-4116</a><br/>
Affects:  2.1-2.1.1</p>

<h3><a name="2.1.xSecurityReport-Tomcat"></a>Tomcat</h3>
<p>Upgraded from Tomcat 6.0.14 to 6.0.16 to include the following security fixes -</p>
<ul>
	<li>low: Session hi-jacking <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333"
class="external-link" rel="nofollow">CVE-2007-5333</a></li>
	<li>low: Elevated privileges <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342"
class="external-link" rel="nofollow">CVE-2007-5342</a></li>
	<li>important: Information disclosure <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461"
class="external-link" rel="nofollow">CVE-2007-5461</a></li>
	<li>important: Data integrity <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286"
class="external-link" rel="nofollow">CVE-2007-6286</a></li>
	<li>important: Information disclosure <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0002"
class="external-link" rel="nofollow">CVE-2008-0002</a></li>
</ul>


<p>For more details on each fix, please visit the <a href="http://tomcat.apache.org/security-6.html"
class="external-link" rel="nofollow">Tomcat 6.x Security</a> page.</p>

<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-4085" class="external-link"
rel="nofollow">GERONIMO-4085</a><br/>
Affects:  2.1-2.1.1</p>

<p><br class="atl-forced-newline" /></p>

<h2><a name="2.1.xSecurityReport-FixedinGeronimo2.1.1"></a>Fixed in Geronimo
2.1.1 <a name="2.1.xSecurityReport-211"></a></h2>

<h3><a name="2.1.xSecurityReport-None"></a>None</h3>

<p><br class="atl-forced-newline" /></p>

    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/GMOxSITE/2.1.x+Security+Report">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=93182&revisedVersion=14&originalVersion=13">View
Changes</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message