geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo > 2.2.x Security Report
Date Mon, 16 Aug 2010 16:23:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=GMOxSITE&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/GMOxSITE/2.2.x+Security+Report">2.2.x
Security Report</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~rickmcguire">Rick
McGuire</a>
    </h4>
        <br/>
                         <h4>Changes (2)</h4>
                                 
    
<div id="page-diffs">
            <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >Affects:  2.2 <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h3.
Geronimo Server: <br>h4. CVE-2010-2227: Apache Tomcat Remote Denial Of Service and Information
Disclosure Vulnerability  <br>The Tomcat web container contains a vulnerability that
may expose the Geronimo server to remote denial of service attacks and potentially disclose
information about applications running on the Geronimo server.  Details of this vulnerability
can be found here: <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">*
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227] <br> <br>A future
Apache Geronimo 2.2.1 release will include an upgrade to Tomcat version 2.0.29.  <br>
<br>It is recommended that existing servers configured to use the Tomcat web container
manually patch the server with the updated version of the Tomcat.  Instructions for patching
an existing release can be found here:  <br> <br>* [Geronimo Geronimo 2.1.x and
2.2.x CVE-2010-2227 Apache Tomcat Remote Denial of Service Patch Instructions|https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.1.x+and+2.2.x+CVE-2010-2227+Apache+Tomcat+Remote+Denial+Of+Service+Patch+Instructions]
<br> <br>JIRA:  [GERONIMO-5387|http://issues.apache.org/jira/browse/GERONIMO-5533]
<br>Affects:  2.2 <br> <br> <br> <br></td></tr>
            <tr><td class="diff-unchanged" >\\ <br> <br></td></tr>
        </table>
</div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h2><a name="2.2.xSecurityReport-ApacheGeronimo2.2.xvulnerabilities"></a>Apache
Geronimo 2.2.x vulnerabilities</h2>

<p>This page lists all security vulnerabilities fixed in maintenance releases or interim
builds of Apache Geronimo 2.2. Each vulnerability is given a security impact rating by either
the Apache Geronimo team or by the dependent project supplying the fix - please note that
this rating is not uniform and will vary from project to project. We also list the versions
of Apache Geronimo the flaw is known to affect, and where a flaw has not been verified list
the version with a question mark.</p>

<p>Please send comments or corrections for these vulnerabilities to the <a href="mailto:security@geronimo.apache.org"
class="external-link" rel="nofollow">Geronimo Security mailing list</a>.</p>

<p><br class="atl-forced-newline" /></p>

<p><br class="atl-forced-newline" /></p>

<h2><a name="2.2.xSecurityReport-KnownVulnerabilities"></a>Known Vulnerabilities</h2>

<h3><a name="2.2.xSecurityReport-GeronimoServer%3A"></a>Geronimo Server:</h3>
<h4><a name="2.2.xSecurityReport-CVE20101632andCVE20102076%3AAxis2andCXFHTTPbindingenablesDTDbasedXMLattacks."></a>CVE-2010-1632
and CVE-2010-2076: Axis2 and CXF HTTP binding enables DTD based XML attacks.  </h4>
<p>A vulnerability was found in both the Axis2 and CXF web services runtime that can
allow an attacker to determine the presence of files on a target server and potentially extract
the content of the target files.  This affects all Geronimo assemblies that include the Axis2
or CXF runtimes, in particular, the javaee5 Jetty and Tomcat assemblies.  Details of the vulnerabilities
can be found in the following Axis2 and CXF security alerts:</p>

<ul>
	<li><a href="https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf"
class="external-link" rel="nofollow">https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf</a></li>
	<li><a href="https://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf"
class="external-link" rel="nofollow">https://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf</a></li>
</ul>


<p>The CXF vulnerabilities are fixed in CXF 2.1.10.  The Axis2 vulnerability will be
fixed in Axis2 1.5.2 and Axiom 1.2.9.  The Axis2 and Axiom releases are not yet available,
but patch versions can be built from the project source trees.  The updated versions will
be included in an upcoming Apache Geronimo 2.2.1 release. </p>

<p>As an immediate workaround, you can disable the web services runtime or manually
patch the server with updated versions of the runtime.  Instructions for disabling the web
services runtime or patching an existing release can be found here: </p>

<ul>
	<li><a href="/confluence/display/GMOxSITE/Geronimo+2.2.x+CVE-2010-1632+Patch+Instructions"
title="Geronimo 2.2.x CVE-2010-1632 Patch Instructions">Geronimo 2.2.x CVE-2010-1632 Patch
Instructions</a></li>
</ul>


<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-5383" class="external-link"
rel="nofollow">GERONIMO-5383</a><br/>
Affects:  2.2</p>

<h3><a name="2.2.xSecurityReport-GeronimoServer%3A"></a>Geronimo Server:</h3>
<h4><a name="2.2.xSecurityReport-CVE20101622%3ASpringFrameworkexecutionofarbitrarycode"></a>CVE-2010-1622:
Spring Framework execution of arbitrary code</h4>
<p>The Spring Framework provides a mechanism to use client provided data to update the
properties of an object. This mechanism allows an attacker to modify the properties of the
class loader used to load the object (via 'class.classloader'). This can lead to arbitrary
command execution since, for example, an attacker can modify the URLs used by the class loader
to point to locations controlled by the attacker.  Details of this vulnerability can be found
here:</p>

<ul>
	<li><a href="http://www.securityfocus.com/archive/1/511877/30/0/threaded" class="external-link"
rel="nofollow">http://www.securityfocus.com/archive/1/511877/30/0/threaded</a></li>
</ul>


<p>A future Apache Geronimo 2.2.1 release will include an upgrade to Spring Framework
v2.5.6.SEC02. </p>

<p>At the current time, there are no known exposures in the Geronimo server due to this
exploit, but applications using the included version of the Spring Framework may be vulnerable.
 An immediate workaround is to manually patch the server with the updated version of the Spring
Framework.  Instructions for patching an existing release can be found here: </p>

<ul>
	<li><a href="https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.1.x+and+2.2.x+Spring+Framework+SEC02+Patch+Instructions"
class="external-link" rel="nofollow">Geronimo Geronimo 2.1.x and 2.2.x Spring Framework
SEC02 Patch Instructions</a></li>
</ul>


<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-5387" class="external-link"
rel="nofollow">GERONIMO-5387</a><br/>
Affects:  2.2</p>

<h3><a name="2.2.xSecurityReport-GeronimoServer%3A"></a>Geronimo Server:</h3>
<h4><a name="2.2.xSecurityReport-CVE20102227%3AApacheTomcatRemoteDenialOfServiceandInformationDisclosureVulnerability"></a>CVE-2010-2227:
Apache Tomcat Remote Denial Of Service and Information Disclosure Vulnerability </h4>
<p>The Tomcat web container contains a vulnerability that may expose the Geronimo server
to remote denial of service attacks and potentially disclose information about applications
running on the Geronimo server.  Details of this vulnerability can be found here:</p>

<ul>
	<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227" class="external-link"
rel="nofollow">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227</a></li>
</ul>


<p>A future Apache Geronimo 2.2.1 release will include an upgrade to Tomcat version
2.0.29. </p>

<p>It is recommended that existing servers configured to use the Tomcat web container
manually patch the server with the updated version of the Tomcat.  Instructions for patching
an existing release can be found here: </p>

<ul>
	<li><a href="https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.1.x+and+2.2.x+CVE-2010-2227+Apache+Tomcat+Remote+Denial+Of+Service+Patch+Instructions"
class="external-link" rel="nofollow">Geronimo Geronimo 2.1.x and 2.2.x CVE-2010-2227 Apache
Tomcat Remote Denial of Service Patch Instructions</a></li>
</ul>


<p>JIRA:  <a href="http://issues.apache.org/jira/browse/GERONIMO-5533" class="external-link"
rel="nofollow">GERONIMO-5387</a><br/>
Affects:  2.2</p>



<p><br class="atl-forced-newline" /></p>

    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/GMOxSITE/2.2.x+Security+Report">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=93185&revisedVersion=5&originalVersion=4">View
Changes</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message