Edit Page
 Index > Community > Security Reports > 2.1.x Security Report User List | Dev List | Wiki | Issue Tracker  
  Overview
Home
Documentation
Downloads
News Archive
Project Management
License
Privacy Policy
ASF
  Search
Powered by Google Search
  Community
Events
Get Involved
Committers
Mailing Lists
Discussion Forums
Blog
IRC
FAQ
Wiki
Found a Bug?
Security Reports
Service and Support
ASF Sponsorship
ASF Thanks!
  Development
Javadoc
XML Schemas
Source Code
Coding Standards
Issue Tracker
Related Projects
Release Roadmaps
  Subprojects
Development Tools
Sample Applications
GBuild
GShell
XBean
Yoko
Java EE Specs
Components
Plugins
RSS News
RSS Site Changes
ATOM User Mailing List
ATOM Developer Mailing List

Apache Geronimo 2.1.x vulnerabilities

This page lists all security vulnerabilities fixed in maintenance releases or interim builds of Apache Geronimo 2.1. Each vulnerability is given a security impact rating by either the Apache Geronimo team or by the dependent project supplying the fix - please note that this rating is not uniform and will vary from project to project. We also list the versions of Apache Geronimo the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please send comments or corrections for these vulnerabilities to the Geronimo Security mailing list.


Other Known Vulnerabilities

None at this time.


Fixed in Geronimo 2.1.8

Please visit the 2.1.8 Release Notes page for details on all of the included JIRAs.

Geronimo Server:

Upgraded from Tomcat 6.0.29 to 6.0.35 to include the following security fixes

Fixed in Apache Tomcat 6.0.35

  • Important: multiple implementations denial-of-service via hash algorithm collision CVE-2011-4858
  • Important: Authentication bypass and information disclosure CVE-2011-3190

Fixed in Apache Tomcat 6.0.33

Fixed in Apache Tomcat 6.0.32

Fixed in Apache Tomcat 6.0.30


Fixed in Geronimo 2.1.7

Please visit the 2.1.7 Release Notes page for details on all of the included JIRAs.

Geronimo Server:

CVE-2010-2227: Apache Tomcat Remote Denial Of Service and Information Disclosure Vulnerability

The Tomcat web container contains a vulnerability that may expose the Geronimo server to remote denial of service attacks and potentially disclose information about applications running on the Geronimo server. Details of this vulnerability can be found here:

An alternative workaround, if you choose not to upgrade to Apache Geronimo 2.1.7, is to manually patch the server with the updated version of the Tomcat. Instructions for patching an existing release can be found here:

JIRA: GERONIMO-5387
Affects: 2.1.1-2.1.6


Fixed in Geronimo 2.1.6

Please visit the 2.1.6 Release Notes page for details on all of the included JIRAs.

Geronimo Server:

CVE-2010-1632 and CVE-2010-2076: Axis2 and CXF HTTP binding enables DTD based XML attacks.

A vulnerability was found in both the Axis2 and CXF web services runtime that can allow an attacker to determine the presence of files on a target server and potentially extract the content of the target files. This affects all Geronimo assemblies that include the Axis2 or CXF runtimes, in particular, the javaee5 Jetty and Tomcat assemblies. Details of the vulnerabilities can be found in the following Axis2 and CXF security alerts:

The Apache Geronimo 2.1.6 release includes patches to Axis2 1.3 and Axiom 1.2.5 and an upgrade to CXF 2.1.13.

An alternative workaround, if you choose not to upgrade to Apache Geronimo 2.1.6, is to disable the web services runtime or manually patch the server with updated versions of the runtime. Instructions for disabling the web services runtime or patching an existing release can be found here:

JIRA: GERONIMO-5383
Affects: 2.1-2.1.5

Geronimo Server:

CVE-2010-1622: Spring Framework execution of arbitrary code

The Spring Framework provides a mechanism to use client provided data to update the properties of an object. This mechanism allows an attacker to modify the properties of the class loader used to load the object (via 'class.classloader'). This can lead to arbitrary command execution since, for example, an attacker can modify the URLs used by the class loader to point to locations controlled by the attacker. Details of this vulnerability can be found here:

The Apache Geronimo 2.1.6 release includes an upgrade to Spring Framework v2.5.6.SEC02.

At the current time, there are no known exposures in the Geronimo server due to this exploit, but applications using the included version of the Spring Framework may be vulnerable. An alternative workaround, if you choose not to upgrade to Apache Geronimo 2.1.6, is to manually patch the server with the updated version of the Spring Framework. Instructions for patching an existing release can be found here:

JIRA: GERONIMO-5387
Affects: 2.1-2.1.5

Fixed in Geronimo 2.1.5

Please visit the 2.1.5 Release Notes page for details on all of the included JIRAs.

Fixed in Geronimo 2.1.4

Please visit the 2.1.4 Release Notes page for details on all of the included JIRAs.

Geronimo Server

Included patch to close potential denial of service attack vector (OOM) in Tomcat session handling

JIRA: GERONIMO-3838
Affects: 2.1-2.1.3

Geronimo Admin Console:

CVE-2008-5518: Apache Geronimo web administration console directory traversal vulnerabilities.

A vulnerability was found in several portlets including Services/Repository, Embedded DB/DB Manager, and Security/Keystores when running the Apache Geronimo server on Windows. This issue may allow a remote attacker to upload any file in any directory. This affects all full JavaEE Geronimo assemblies or other distributions which include the administration web console up to and including Apache Geronimo 2.1.3. An alternative workaround (if you choose to not upgrade to Apache Geronimo 2.1.4) would be to stop or undeploy the administration web console application in the server.
Credit: The Apache Geronimo project would like to thank Digital Security Research Group (dsecrg.com) for responsibly reporting this issue and assisting us with validating our fixes.

JIRA: GERONIMO-4597
Affects: 2.1-2.1.3

CVE-2009-0038: Apache Geronimo web administration console XSS vulnerabilities

Various linked and stored cross-site scripting (XSS) vulnerabilities were found in the Apache Geronimo administrative console and related utilities. Using this vulnerability an attacker can steal an administrator's cookie and then authenticate as administrator or perform certain administrative actions. For example, a user can inject XSS in some URLs or in several input fields in various portlets. This affects all full JavaEE Geronimo assemblies or other distributions which include the administration web console up to and including Apache Geronimo 2.1.3. An alternative workaround (if you choose to not upgrade to Apache Geronimo 2.1.4) would be to stop or undeploy the administration web console application in the server.
Credit: The Apache Geronimo project would like to thank Digital Security Research Group (dsecrg.com) and Marc Schoenefeld (Red Hat Security Response Team) for responsibly reporting this issue and assisting us with validating our fixes.

JIRA: GERONIMO-4597
Affects: 2.1-2.1.3

CVE-2009-0039: Apache Geronimo web administration console XSRF vulnerabilities

Various cross-site request forgery (XSRF or CSRF) vulnerabilities were identified in the Apache Geronimo web administration console. Exploiting these issues may allow a remote attacker to perform certain administrative actions, e.g. change web administration password, upload applications, etc... using predictable URL requests once the user has authenticated and obtained a valid session with the server. This affects all full JavaEE Geronimo assemblies or other distributions which include the administration web console up to and including Apache Geronimo 2.1.3. An alternative workaround (if you choose to not upgrade to Apache Geronimo 2.1.4) would be to stop or undeploy the administration web console application in the server.
Credit: The Apache Geronimo project would like to thank Digital Security Research Group (dsecrg.com) for responsibly reporting this issue and assisting us with validating our fixes.

JIRA: GERONIMO-4597
Affects: 2.1-2.1.3


Fixed in Geronimo 2.1.3

Please visit the 2.1.3 Release Notes page for details on all of the included JIRAs.

DWR

Upgraded from DWR 2.0.3 to 2.0.5 to include the following security fixes -

  • DWR version 2.0.5 fixed 1 XSS vulnerabilities in r2077
    r2077 | joe | 2008-06-22 09:28:22 -0400 (Sun, 22 Jun 2008) | 7 lines
    
    Fix for XSS issue in ExceptionHandler:
    
    PartialResponse.fromOrdinal() throws a NumberFormatException trying to
    parse the 'partialResponse' parameter.  This exception is never caught,
    prompting UrlProcessor to invoke DWR's default ExceptionHandler class,
    which calls out.println(cause.getMessage()), thereby causing the XSS.
    

JIRA: GERONIMO-4266
Affects: 2.1-2.1.2

ActiveMQ

Included ActiveMQ patch for the following security exposure -

  • AMQ-1272 - Stomp protocol does not correctly check authentication (security hole)

JIRA: GERONIMO-4262
Affects: 2.1-2.1.2

Tomcat

Upgraded from Tomcat 6.0.16 to 6.0.18 to include the following security fixes -

For more details on each fix, please visit the Tomcat 6.x Security page.

JIRA: GERONIMO-4245
Affects: 2.1-2.1.2


Fixed in Geronimo 2.1.2

DWR

Upgraded from DWR 2.0.1 to 2.0.3 to include the following security fixes -

JIRA: GERONIMO-4116
Affects: 2.1-2.1.1

Tomcat

Upgraded from Tomcat 6.0.14 to 6.0.16 to include the following security fixes -

For more details on each fix, please visit the Tomcat 6.x Security page.

JIRA: GERONIMO-4085
Affects: 2.1-2.1.1


Fixed in Geronimo 2.1.1

None