geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo > 2.2.x Security Report
Date Mon, 28 May 2012 02:13:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/1/_/styles/combined.css?spaceKey=GMOxSITE&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/GMOxSITE/2.2.x+Security+Report">2.2.x
Security Report</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~xiaming">Forrest
Xia</a>
    </h4>
        <br/>
                         <h4>Changes (1)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h2. Fixed in Geronimo 2.2.1 {anchor:221}
<br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h4.
[CVE-2011-5034|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5034] and [CVE-2011-4858|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4858]
- &quot;multiple implementations denial-of-service via hash algorithm collision&quot;
have been fixed via [GERONIMO-6253|https://issues.apache.org/jira/browse/GERONIMO-6253]. <br>
<br></td></tr>
            <tr><td class="diff-unchanged" >Please visit the [2.2.1 Release Notes|http://svn.apache.org/repos/asf/geronimo/server/tags/geronimo-2.2.1/RELEASE_NOTES-2.2.1.txt]
page for details on all of the included JIRAs. <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h2><a name="2.2.xSecurityReport-ApacheGeronimo2.2.xvulnerabilities"></a>Apache
Geronimo 2.2.x vulnerabilities</h2>

<p>This page lists all security vulnerabilities fixed in maintenance releases or interim
builds of Apache Geronimo 2.2. Each vulnerability is given a security impact rating by either
the Apache Geronimo team or by the dependent project supplying the fix - please note that
this rating is not uniform and will vary from project to project. We also list the versions
of Apache Geronimo the flaw is known to affect, and where a flaw has not been verified list
the version with a question mark.</p>

<p>Please send comments or corrections for these vulnerabilities to the <a href="mailto:security@geronimo.apache.org"
class="external-link" rel="nofollow">Geronimo Security mailing list</a>.</p>

<ul>
	<li><a href="#2.2.xSecurityReport-221">Apache Geronimo 2.2.1</a><br
class="atl-forced-newline" /></li>
</ul>


<p><br class="atl-forced-newline" /></p>

<h2><a name="2.2.xSecurityReport-FixedinGeronimo2.2.1"></a>Fixed in Geronimo
2.2.1 <a name="2.2.xSecurityReport-221"></a></h2>

<h4><a name="2.2.xSecurityReport-CVE20115034"></a><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5034"
class="external-link" rel="nofollow">CVE-2011-5034</a> and <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4858"
class="external-link" rel="nofollow">CVE-2011-4858</a> - "multiple implementations
denial-of-service via hash algorithm collision" have been fixed via <a href="https://issues.apache.org/jira/browse/GERONIMO-6253"
class="external-link" rel="nofollow">GERONIMO-6253</a>.</h4>

<p>Please visit the <a href="http://svn.apache.org/repos/asf/geronimo/server/tags/geronimo-2.2.1/RELEASE_NOTES-2.2.1.txt"
class="external-link" rel="nofollow">2.2.1 Release Notes</a> page for details on
all of the included JIRAs.</p>

<h3><a name="2.2.xSecurityReport-GeronimoServer%3A"></a>Geronimo Server:</h3>


<h4><a name="2.2.xSecurityReport-CVE20101632andCVE20102076%3AAxis2andCXFHTTPbindingenablesDTDbasedXMLattacks."></a>CVE-2010-1632
and CVE-2010-2076: Axis2 and CXF HTTP binding enables DTD based XML attacks.</h4>

<p>A vulnerability was found in both the Axis2 and CXF web services runtime that can
allow an attacker to determine the presence of files on a target server and potentially extract
the content of the target files.  This affects all Geronimo assemblies that include the Axis2
or CXF runtimes, in particular, the javaee5 Jetty and Tomcat assemblies.  Details of the vulnerabilities
can be found in the following Axis2 and CXF security alerts:</p>

<ul>
	<li><a href="https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf"
class="external-link" rel="nofollow">https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf</a></li>
	<li><a href="https://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf"
class="external-link" rel="nofollow">https://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf</a></li>
</ul>


<p>The CXF vulnerabilities are fixed in CXF 2.1.10.  The Axis2 vulnerability will be
fixed in Axis2 1.5.2 and Axiom 1.2.9.</p>

<p>An alternative workaround, if you choose not to upgrade to Apache Geronimo 2.2.1,
is to disable the web services runtime or manually patch the server with updated versions
of the runtime.  Instructions for disabling the web services runtime or patching an existing
release can be found here:</p>

<ul>
	<li><a href="/confluence/display/GMOxSITE/Geronimo+2.2.x+CVE-2010-1632+Patch+Instructions"
title="Geronimo 2.2.x CVE-2010-1632 Patch Instructions">Geronimo 2.2.x CVE-2010-1632 Patch
Instructions</a></li>
</ul>


<p>JIRA: <a href="http://issues.apache.org/jira/browse/GERONIMO-5383" class="external-link"
rel="nofollow">GERONIMO-5383</a><br/>
Affects:  2.2</p>

<h3><a name="2.2.xSecurityReport-GeronimoServer%3A"></a>Geronimo Server:</h3>


<h4><a name="2.2.xSecurityReport-CVE20101622%3ASpringFrameworkexecutionofarbitrarycode"></a>CVE-2010-1622:
Spring Framework execution of arbitrary code</h4>

<p>The Spring Framework provides a mechanism to use client provided data to update the
properties of an object. This mechanism allows an attacker to modify the properties of the
class loader used to load the object (via 'class.classloader'). This can lead to arbitrary
command execution since, for example, an attacker can modify the URLs used by the class loader
to point to locations controlled by the attacker.  Details of this vulnerability can be found
here:</p>

<ul>
	<li><a href="http://www.securityfocus.com/archive/1/511877/30/0/threaded" class="external-link"
rel="nofollow">http://www.securityfocus.com/archive/1/511877/30/0/threaded</a></li>
</ul>


<p>At the current time, there are no known exposures in the Geronimo server due to this
exploit, but applications using the included version of the Spring Framework may be vulnerable.
 Apache Geronimo 2.2.1 release included an upgrade to Spring Framework v2.5.6.SEC02 to fix
this.</p>

<p>An alternative workaround, if you choose not to upgrade to Apache Geronimo 2.2.1,
is to manually patch the server with the updated version of the Spring Framework.  Instructions
for patching an existing release can be found here:</p>

<ul>
	<li><a href="https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.1.x+and+2.2.x+Spring+Framework+SEC02+Patch+Instructions"
class="external-link" rel="nofollow">Geronimo Geronimo 2.1.x and 2.2.x Spring Framework
SEC02 Patch Instructions</a></li>
</ul>


<p>JIRA: <a href="http://issues.apache.org/jira/browse/GERONIMO-5387" class="external-link"
rel="nofollow">GERONIMO-5387</a><br/>
Affects:  2.2</p>

<h3><a name="2.2.xSecurityReport-GeronimoServer%3A"></a>Geronimo Server:</h3>


<h4><a name="2.2.xSecurityReport-CVE20102227%3AApacheTomcatRemoteDenialOfServiceandInformationDisclosureVulnerability"></a>CVE-2010-2227:
Apache Tomcat Remote Denial Of Service and Information Disclosure Vulnerability</h4>

<p>The Tomcat web container contains a vulnerability that may expose the Geronimo server
to remote denial of service attacks and potentially disclose information about applications
running on the Geronimo server.  Details of this vulnerability can be found here:</p>

<ul>
	<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227" class="external-link"
rel="nofollow">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227</a></li>
</ul>


<p>Apache Geronimo 2.2.1 release included an upgrade to Tomcat version 2.0.29 to fix
this.</p>

<p>An alternative workaround, if you choose not to upgrade to Apache Geronimo 2.2.1,
is to manually patch the server with the updated version of the Tomcat.  Instructions for
patching an existing release can be found here:</p>

<ul>
	<li><a href="https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.1.x+and+2.2.x+CVE-2010-2227+Apache+Tomcat+Remote+Denial+Of+Service+Patch+Instructions"
class="external-link" rel="nofollow">Geronimo Geronimo 2.1.x and 2.2.x CVE-2010-2227 Apache
Tomcat Remote Denial of Service Patch Instructions</a></li>
</ul>


<p>JIRA: <a href="http://issues.apache.org/jira/browse/GERONIMO-5533" class="external-link"
rel="nofollow">GERONIMO-5387</a><br/>
Affects:  2.2</p>



<p><br class="atl-forced-newline" /></p>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/GMOxSITE/2.2.x+Security+Report">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=93185&revisedVersion=8&originalVersion=7">View
Changes</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message