geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo > Geronimo 2.1.x and 2.2.x CVE-2010-2227 Apache Tomcat Remote Denial Of Service Patch Instructions
Date Mon, 16 Aug 2010 16:13:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=GMOxSITE&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.1.x+and+2.2.x+CVE-2010-2227+Apache+Tomcat+Remote+Denial+Of+Service+Patch+Instructions">Geronimo
2.1.x and 2.2.x CVE-2010-2227 Apache Tomcat Remote Denial Of Service Patch Instructions</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~rickmcguire">Rick
McGuire</a>
    </h4>
        <br/>
                         <h4>Changes (1)</h4>
                                 
    
<div id="page-diffs">
            <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >org.apache.geronimo.ext.tomcat/tribes/6.0.26/jar=org.apache.geronimo.ext.tomcat/tribes/6.0.29/jar
<br>org.apache.geronimo.ext.tomcat/util/6.0.26/jar=org.apache.geronimo.ext.tomcat/util/6.0.29/jar
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">{noformat}
<br></td></tr>
            <tr><td class="diff-unchanged" >* Start the server. <br></td></tr>
        </table>
</div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="Geronimo2.1.xand2.2.xCVE-2010-2227ApacheTomcatRemoteDenialOfServicePatchInstructions-Geronimo2.1.xandGeronimo2.2PatchInstructionstheTomcatCVE20102227Vulnerability."></a>Geronimo
2.1.x and Geronimo 2.2 Patch Instructions the Tomcat CVE-2010-2227 Vulnerability. </h1>
<p>The Tomcat project has recently discovered a security vulnerability which may allow
a remote denial of service attack or an information vulnerability exploit.  For more information
on this security vulnerability kindly refer the following document:</p>
<ul>
	<li><a href="http://www.securityfocus.com/archive/1/archive/1/512272/100/0/threaded"
class="external-link" rel="nofollow">http://www.securityfocus.com/archive/1/archive/1/512272/100/0/threaded</a></li>
</ul>


<h2><a name="Geronimo2.1.xand2.2.xCVE-2010-2227ApacheTomcatRemoteDenialOfServicePatchInstructions-HowisApacheGeronimoAffected%3F"></a>How
is Apache Geronimo Affected?</h2>

<p>Apache Geronimo uses the Tomcat component as one of the supported web containers
for the Geronimo server.  Servers configured with to use the Tomcat web container may be vulnerable
to either of these exploits. </p>

<p>These issues have been fixed in the tomcat-parent-6.0.29 component used by Geronimo.
</p>

<h2><a name="Geronimo2.1.xand2.2.xCVE-2010-2227ApacheTomcatRemoteDenialOfServicePatchInstructions-HowcanIavoidthesevulnerabilitiesinApacheGeronimo%3F"></a>How
can I avoid these vulnerabilities in Apache Geronimo?</h2>

<p>If you wish to remain on an existing version of Geronimo, the installation can be
patched to avoid the vulnerability.  The following steps will upgrade the Tomcat libraries
used by the server. </p>

<ul>
	<li>If your server is running stop the server.</li>
	<li>Make a backup of the directory &lt;G_HOME&gt;/repository/org/apache/geronimo/ext/tomcat/.
 Once done, delete the directory &lt;G_HOME&gt;/repository/org/apache/geronimo/ext/tomcat.</li>
	<li>Download the 6.0.29 version of all jars present in the tomcat repository directory
from <a href="http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/" class="external-link"
rel="nofollow">http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/</a>.
 For example, spring-beans-s.5.6.SEC02.jar can be downloaded from <a href="http://repo1.maven.org/maven2/org/springframework/spring-beans/2.5.6.SEC02/"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/springframework/spring-beans/2.5.6.SEC02/</a>.
 The following jars are required:
	<ul>
		<li><a href="http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/catalina/6.0.29/catalina-6.0.29.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/catalina/6.0.29/catalina-6.0.29.jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/catalina-ha/6.0.29/catalina-ha-6.0.29.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/catalina-ha/6.0.29/catalina-ha-6.0.29.jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/jasper/6.0.29/jasper-6.0.29.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/jasper/6.0.29/jasper-6.0.29.jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/jasper-el/6.0.29/jasper-el-6.0.29.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/jasper-el/6.0.29/jasper-el-6.0.29.jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/shared/6.0.29/shared-6.0.29.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/shared/6.0.29/shared-6.0.29.jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/tribes/6.0.29/tribes-6.0.29.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/tribes/6.0.29/tribes-6.0.29.jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/util/6.0.29/util-6.0.29.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/util/6.0.29/util-6.0.29.jar</a></li>
	</ul>
	</li>
</ul>


<ul>
	<li>Copy all the jars according to the original repository directory structure. For
example, copy catalina-6.0.29.jar to &lt;G_HOME&gt;/repository/org/apache/geronimo/ext/tomcat/catalina/6.0.29/.</li>
	<li>Open the &lt;G_HOME&gt;/var/config/artifact_aliases.properties in edit
mode and add the following entries:
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
<pre>org.apache.geronimo.ext.tomcat/catalina/6.0.26/jar=org.apache.geronimo.ext.tomcat/catalina/6.0.29/jar
org.apache.geronimo.ext.tomcat/catalina-ha/6.0.26/jar=org.apache.geronimo.ext.tomcat/catalina-ha/6.0.29/jar
org.apache.geronimo.ext.tomcat/jasper/6.0.26/jar=org.apache.geronimo.ext.tomcat/jasper/6.0.29/jar
org.apache.geronimo.ext.tomcat/jasper-el/6.0.26/jar=org.apache.geronimo.ext.tomcat/jasper-el/6.0.29/jar
org.apache.geronimo.ext.tomcat/shared/6.0.26/jar=org.apache.geronimo.ext.tomcat/shared/6.0.29/jar
org.apache.geronimo.ext.tomcat/tribes/6.0.26/jar=org.apache.geronimo.ext.tomcat/tribes/6.0.29/jar
org.apache.geronimo.ext.tomcat/util/6.0.26/jar=org.apache.geronimo.ext.tomcat/util/6.0.29/jar
</pre>
</div></div></li>
	<li>Start the server.</li>
</ul>

    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.1.x+and+2.2.x+CVE-2010-2227+Apache+Tomcat+Remote+Denial+Of+Service+Patch+Instructions">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=23335096&revisedVersion=2&originalVersion=1">View
Changes</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message