geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jarek Gawor (Confluence)" <conflue...@apache.org>
Subject [CONF] Apache Geronimo > 3.0.x Security Report
Date Mon, 01 Jul 2013 16:07:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/en/2176/1/1/_/styles/combined.css?spaceKey=GMOxSITE&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/GMOxSITE/3.0.x+Security+Report">3.0.x
Security Report</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~gawor">Jarek
Gawor</a>
    </h4>
        <br/>
                         <h4>Changes (3)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h2. Fixed in Geronimo 3.0.0 {anchor:221}
<br> <br></td></tr>
            <tr><td class="diff-changed-lines" >h4. [CVE-2013-1777|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1717]
- &quot;Apache Geronimo 3 RMI classloader exposure&quot; has been fixed via <span
class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">[GERONIMO-6253|https://issues.apache.org/jira/browse/GERONIMO-6253].</span>
<span class="diff-added-words"style="background-color: #dfd;">[GERONIMO-6477|https://issues.apache.org/jira/browse/GERONIMO-6477].</span>
<br></td></tr>
            <tr><td class="diff-unchanged" > <br>Please visit the [3.0.0
Release Notes|http://svn.apache.org/repos/asf/geronimo/server/tags/geronimo-3.0.0/RELEASE_NOTES-3.0.0.txt]
page for details on all of the included JIRAs. <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>Affects: 3.0.0, 3.0 Beta
1, and 3.0 M1 <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">JIRA:
[GERONIMO-6253|https://issues.apache.org/jira/browse/GERONIMO-6253] <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">JIRA:
[GERONIMO-6477|https://issues.apache.org/jira/browse/GERONIMO-6477] <br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h2><a name="3.0.xSecurityReport-ApacheGeronimo3.0.xvulnerabilities"></a>Apache
Geronimo 3.0.x vulnerabilities</h2>

<p>This page lists all security vulnerabilities fixed in maintenance releases or interim
builds of Apache Geronimo 3.0. Each vulnerability is given a security impact rating by either
the Apache Geronimo team or by the dependent project supplying the fix - please note that
this rating is not uniform and will vary from project to project. We also list the versions
of Apache Geronimo the flaw is known to affect, and where a flaw has not been verified list
the version with a question mark.</p>

<p>Please send comments or corrections for these vulnerabilities to the <a href="mailto:security@geronimo.apache.org"
class="external-link" rel="nofollow">Geronimo Security mailing list</a>.</p>

<ul>
	<li><a href="#3.0.xSecurityReport-300">Apache Geronimo 3.0.0</a><br
class="atl-forced-newline" /></li>
</ul>


<p><br class="atl-forced-newline" /></p>

<h2><a name="3.0.xSecurityReport-FixedinGeronimo3.0.0"></a>Fixed in Geronimo
3.0.0 <a name="3.0.xSecurityReport-221"></a></h2>

<h4><a name="3.0.xSecurityReport-CVE20131777"></a><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1717"
class="external-link" rel="nofollow">CVE-2013-1777</a> - "Apache Geronimo 3 RMI classloader
exposure" has been fixed via <a href="https://issues.apache.org/jira/browse/GERONIMO-6477"
class="external-link" rel="nofollow">GERONIMO-6477</a>.</h4>

<p>Please visit the <a href="http://svn.apache.org/repos/asf/geronimo/server/tags/geronimo-3.0.0/RELEASE_NOTES-3.0.0.txt"
class="external-link" rel="nofollow">3.0.0 Release Notes</a> page for details on
all of the included JIRAs.</p>

<h3><a name="3.0.xSecurityReport-GeronimoServer%3A"></a>Geronimo Server:</h3>

<h4><a name="3.0.xSecurityReport-CVE20131777%3ARMIclassloaderexposure"></a>CVE-2013-1777:
RMI classloader exposure</h4>

<p>A misconfigured RMI classloader in Apache Geronimo 3.0 may enable an attacker to
send a serialized object via JMX that could compromise the system.</p>

<p>Geronimo 3.0, Beta 1 or M1 users are strongly encouraged to upgrade to Geronimo 3.0.1.</p>

<p>Remote exploits can be prevented by hiding the naming (1099) and JMX (9999) ports
behind a firewall or binding the ports to a local network interface.</p>

<p>Affects: 3.0.0, 3.0 Beta 1, and 3.0 M1<br/>
JIRA: <a href="https://issues.apache.org/jira/browse/GERONIMO-6477" class="external-link"
rel="nofollow">GERONIMO-6477</a></p>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;" class="grey">
                        <a href="https://cwiki.apache.org/confluence/users/removespacenotification.action?spaceKey=GMOxSITE">Stop
watching space</a>
            <span style="padding: 0px 5px;">|</span>
                <a href="https://cwiki.apache.org/confluence/users/editmyemailsettings.action">Change
email notification preferences</a>
</div>
        <a href="https://cwiki.apache.org/confluence/display/GMOxSITE/3.0.x+Security+Report">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=33292888&revisedVersion=3&originalVersion=2">View
Changes</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message