geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jarek Gawor (Confluence)" <conflue...@apache.org>
Subject [CONF] Apache Geronimo > 3.0.x Security Report
Date Mon, 01 Jul 2013 15:25:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/en/2176/1/1/_/styles/combined.css?spaceKey=GMOxSITE&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/GMOxSITE/3.0.x+Security+Report">3.0.x
Security Report</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~gawor">Jarek
Gawor</a>
    </h4>
        <br/>
                         <h4>Changes (10)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h2. Fixed in Geronimo 3.0.0 {anchor:221}
<br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h4.
[CVE-2013-1777|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1717] - &quot;A
problem in the RMI classloader may enable an attacker to send a serialized object via JMX
that could compromise the system.&quot; have been fixed via [GERONIMO-6253|https://issues.apache.org/jira/browse/GERONIMO-6253].
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h4.
[CVE-2013-1777|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1717] - &quot;Apache
Geronimo 3 RMI classloader exposure&quot; has been fixed via [GERONIMO-6253|https://issues.apache.org/jira/browse/GERONIMO-6253].
<br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-changed-lines" >Please visit the [3.0.0 Release
Notes|http://svn.apache.org/repos/asf/geronimo/server/tags/geronimo-3.0.0/RELEASE_NOTES-3.0.0.txt]
page for details on all of the <span class="diff-changed-words"><span class="diff-added-chars"style="background-color:
#dfd;">i</span>ncluded</span> JIRAs. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>h3. Geronimo Server: <br>
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h4.
CVE-2013-1777: RMI classloader exposure <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h4.
CVE-2013-1777:RMI classloader exposure. <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">A
misconfigured RMI classloader in Apache Geronimo 3.0 may enable an attacker to send a serialized
object via JMX that could compromise the system. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">Geronimo
3.0, Beta 1 or M1 users are strongly encouraged to upgrade to Geronimo 3.0.1. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">Remote
exploits can be prevented by hiding the naming (1099) and JMX (9999) ports behind a firewall
or binding the ports to a local network interface. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">*
[Geronimo 3.0.x CVE-2013-1777 Patch Instructions|Geronimo 3.0.x CVE-2013-1777 Patch Instructions]
<br> <br> <br>Affects:  3.0.0 <br> <br> <br> <br>
<br> <br>\\ <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">Affects:
3.0.0, 3.0 Beta 1, and 3.0 M1 <br>JIRA: [GERONIMO-6253|https://issues.apache.org/jira/browse/GERONIMO-6253]
<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h2><a name="3.0.xSecurityReport-ApacheGeronimo3.0.xvulnerabilities"></a>Apache
Geronimo 3.0.x vulnerabilities</h2>

<p>This page lists all security vulnerabilities fixed in maintenance releases or interim
builds of Apache Geronimo 3.0. Each vulnerability is given a security impact rating by either
the Apache Geronimo team or by the dependent project supplying the fix - please note that
this rating is not uniform and will vary from project to project. We also list the versions
of Apache Geronimo the flaw is known to affect, and where a flaw has not been verified list
the version with a question mark.</p>

<p>Please send comments or corrections for these vulnerabilities to the <a href="mailto:security@geronimo.apache.org"
class="external-link" rel="nofollow">Geronimo Security mailing list</a>.</p>

<ul>
	<li><a href="#3.0.xSecurityReport-300">Apache Geronimo 3.0.0</a><br
class="atl-forced-newline" /></li>
</ul>


<p><br class="atl-forced-newline" /></p>

<h2><a name="3.0.xSecurityReport-FixedinGeronimo3.0.0"></a>Fixed in Geronimo
3.0.0 <a name="3.0.xSecurityReport-221"></a></h2>

<h4><a name="3.0.xSecurityReport-CVE20131777"></a><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1717"
class="external-link" rel="nofollow">CVE-2013-1777</a> - "Apache Geronimo 3 RMI classloader
exposure" has been fixed via <a href="https://issues.apache.org/jira/browse/GERONIMO-6253"
class="external-link" rel="nofollow">GERONIMO-6253</a>.</h4>

<p>Please visit the <a href="http://svn.apache.org/repos/asf/geronimo/server/tags/geronimo-3.0.0/RELEASE_NOTES-3.0.0.txt"
class="external-link" rel="nofollow">3.0.0 Release Notes</a> page for details on
all of the included JIRAs.</p>

<h3><a name="3.0.xSecurityReport-GeronimoServer%3A"></a>Geronimo Server:</h3>

<h4><a name="3.0.xSecurityReport-CVE20131777%3ARMIclassloaderexposure"></a>CVE-2013-1777:
RMI classloader exposure</h4>

<p>A misconfigured RMI classloader in Apache Geronimo 3.0 may enable an attacker to
send a serialized object via JMX that could compromise the system.</p>

<p>Geronimo 3.0, Beta 1 or M1 users are strongly encouraged to upgrade to Geronimo 3.0.1.</p>

<p>Remote exploits can be prevented by hiding the naming (1099) and JMX (9999) ports
behind a firewall or binding the ports to a local network interface.</p>

<p>Affects: 3.0.0, 3.0 Beta 1, and 3.0 M1<br/>
JIRA: <a href="https://issues.apache.org/jira/browse/GERONIMO-6253" class="external-link"
rel="nofollow">GERONIMO-6253</a></p>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;" class="grey">
                        <a href="https://cwiki.apache.org/confluence/users/removespacenotification.action?spaceKey=GMOxSITE">Stop
watching space</a>
            <span style="padding: 0px 5px;">|</span>
                <a href="https://cwiki.apache.org/confluence/users/editmyemailsettings.action">Change
email notification preferences</a>
</div>
        <a href="https://cwiki.apache.org/confluence/display/GMOxSITE/3.0.x+Security+Report">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=33292888&revisedVersion=2&originalVersion=1">View
Changes</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message