geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Struberg <strub...@yahoo.de>
Subject Re: Vulnerability issue with Apache geronimo jars in ActiveMQ Latest version.
Date Mon, 02 Jul 2018 06:54:26 GMT
Ohh, that's really a false positive :(

From the CVE-2011-5034:

> Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting

This only affects the Apache Geronimo Application Server - which is now retired btw. 
And there it affects HTTP post parameter parsing afaict.

It has nothing to do with the spec jars you listed. Those are really clean.


LieGrue,
strub


> Am 02.07.2018 um 07:38 schrieb Munna <abhilash.kyatham@gmail.com>:
> 
> No, There is no class mentioned in the report. 
> 
> Report just says as below Apache activeMQ has these jars and this may lead
> to hash collisions.
> 
> Apache Geronimo 2.2.1 and earlier computes hash values for form parameters
> without restricting the ability to trigger hash collisions predictably,
> which allows remote attackers to cause a denial of service (CPU consumption)
> by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
> 
> You can see this in below link :
> https://nvd.nist.gov/vuln/detail/CVE-2011-5034
> 
> Here it says solution as replace latest apache geronimo jar but this part of
> Apache activemq latest version and not using independent jars.How can i fix
> it.?
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5034
> 
> 
> 
> 
> 
> --
> Sent from: http://apache-geronimo.328035.n3.nabble.com/Users-f328036.html


Mime
View raw message