Edit Page
 Index > 2007 > 09 > 07 > MEJB Security Alert User List | Dev List | Wiki | Issue Tracker  
  Overview
Home
Documentation
Downloads
News Archive
Project Management
License
Privacy Policy
ASF
  Search
Powered by Google Search
  Community
Events
Get Involved
Committers
Mailing Lists
Discussion Forums
Blog
IRC
FAQ
Wiki
Found a Bug?
Security Reports
Service and Support
ASF Sponsorship
ASF Thanks!
  Development
Javadoc
XML Schemas
Source Code
Coding Standards
Issue Tracker
Related Projects
Release Roadmaps
  Subprojects
Development Tools
Sample Applications
GBuild
GShell
XBean
Yoko
Java EE Specs
Components
Plugins
RSS News
RSS Site Changes
ATOM User Mailing List
ATOM Developer Mailing List

2007-09-06
We have discovered a security vulnerability in Geronimo, where the management EJB (MEJB) allows unchallenged access to Geronimo internals.
As a temporary workaround you can modify the config.xml to disable MEJB.

To disable MEJB make the following modifications to the configuration file at <geronimo_home>/var/config.xml.

Excerpt from config.xml
....
<module name="org.apache.geronimo.configs/openejb/2.0.1/car">
    <gbean name="EJBNetworkService">
    ...
    </gbean>
    <gbean load="false" name="ejb/mgmt/MEJB"/>
</module>
...

We will be releasing a new version soon to control access to MEJB in a more secure way. This issue will be tracked in JIRA GERONIMO-3456.