Edit Page
 Apache Geronimo > Index > Community > Security Reports > 2.1.x Security Report User List | Dev List | Wiki | Issue Tracker  
  Overview
Home
Documentation
Downloads
News Archive
Project Management
License
Privacy Policy
ASF
  Search
Powered by Google Search
  Community
Events
Get Involved
Committers
Mailing Lists
Discussion Forums
IRC
FAQ
Wiki
Found a Bug?
Security Reports
Service and Support
ASF Sponsorship
ASF Thanks!
  Development
Javadoc
XML Schemas
Source Code
Coding Standards
Issue Tracker
Related Projects
Release Roadmaps
  Subprojects
Development Tools
Sample Applications
GBuild
GShell
XBean
Yoko
Java EE Specs
Components
Plugins
Graphics by Epiq
RSS News
RSS Site Changes
ATOM" User Mailing List
ATOM Developer Mailing List

Apache Geronimo 2.1.x vulnerabilities

This page lists all security vulnerabilities fixed in maintenance releases or interim builds of Apache Geronimo 2.1. Each vulnerability is given a security impact rating by either the Apache Geronimo team or by the dependent project supplying the fix - please note that this rating is not uniform and will vary from project to project. We also list the versions of Apache Geronimo the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please send comments or corrections for these vulnerabilities to the Geronimo Security mailing list.


Other Known Vulnerabilities

None at this time.


Fixed in Geronimo 2.1.5-SNAPSHOT

Please visit the 2.1.5 Release Status page for details on all of the included JIRAs and planned release dates.

None at this time.


Fixed in Geronimo 2.1.4

Please visit the 2.1.4 Release Notes page for details on all of the included JIRAs.

Geronimo Server

Included patch to close potential denial of service attack vector (OOM) in Tomcat session handling

JIRA: GERONIMO-3838
Affects: 2.1-2.1.3

Geronimo Admin Console:

CVE-2008-5518: Apache Geronimo web administration console directory traversal vulnerabilities.

A vulnerability was found in several portlets including Services/Repository, Embedded DB/DB Manager, and Security/Keystores when running the Apache Geronimo server on Windows. This issue may allow a remote attacker to upload any file in any directory. This affects all full JavaEE Geronimo assemblies or other distributions which include the administration web console up to and including Apache Geronimo 2.1.3. An alternative workaround (if you choose to not upgrade to Apache Geronimo 2.1.4) would be to stop or undeploy the administration web console application in the server.
Credit: The Apache Geronimo project would like to thank Digital Security Research Group (dsecrg.com) for responsibly reporting this issue and assisting us with validating our fixes.

JIRA: GERONIMO-4597
Affects: 2.1-2.1.3

CVE-2009-0038: Apache Geronimo web administration console XSS vulnerabilities

Various linked and stored cross-site scripting (XSS) vulnerabilities were found in the Apache Geronimo administrative console and related utilities. Using this vulnerability an attacker can steal an administrator's cookie and then authenticate as administrator or perform certain administrative actions. For example, a user can inject XSS in some URLs or in several input fields in various portlets. This affects all full JavaEE Geronimo assemblies or other distributions which include the administration web console up to and including Apache Geronimo 2.1.3. An alternative workaround (if you choose to not upgrade to Apache Geronimo 2.1.4) would be to stop or undeploy the administration web console application in the server.
Credit: The Apache Geronimo project would like to thank Digital Security Research Group (dsecrg.com) and Marc Schoenefeld (Red Hat Security Response Team) for responsibly reporting this issue and assisting us with validating our fixes.

JIRA: GERONIMO-4597
Affects: 2.1-2.1.3

CVE-2009-0039: Apache Geronimo web administration console XSRF vulnerabilities

Various cross-site request forgery (XSRF or CSRF) vulnerabilities were identified in the Apache Geronimo web administration console. Exploiting these issues may allow a remote attacker to perform certain administrative actions, e.g. change web administration password, upload applications, etc... using predictable URL requests once the user has authenticated and obtained a valid session with the server. This affects all full JavaEE Geronimo assemblies or other distributions which include the administration web console up to and including Apache Geronimo 2.1.3. An alternative workaround (if you choose to not upgrade to Apache Geronimo 2.1.4) would be to stop or undeploy the administration web console application in the server.
Credit: The Apache Geronimo project would like to thank Digital Security Research Group (dsecrg.com) for responsibly reporting this issue and assisting us with validating our fixes.

JIRA: GERONIMO-4597
Affects: 2.1-2.1.3


Fixed in Geronimo 2.1.3

Please visit the 2.1.3 Release Notes page for details on all of the included JIRAs.

DWR

Upgraded from DWR 2.0.3 to 2.0.5 to include the following security fixes -

  • DWR version 2.0.5 fixed 1 XSS vulnerabilities in r2077 
    r2077 | joe | 2008-06-22 09:28:22 -0400 (Sun, 22 Jun 2008) | 7 lines

Fix for XSS issue in ExceptionHandler:

PartialResponse.fromOrdinal() throws a NumberFormatException trying to
parse the 'partialResponse' parameter.  This exception is never caught,
prompting UrlProcessor to invoke DWR's default ExceptionHandler class,
which calls out.println(cause.getMessage()), thereby causing the XSS.

JIRA: GERONIMO-4266
Affects: 2.1-2.1.2

ActiveMQ

Included ActiveMQ patch for the following security exposure -

  • AMQ-1272 - Stomp protocol does not correctly check authentication (security hole)

JIRA: GERONIMO-4262
Affects: 2.1-2.1.2

Tomcat

Upgraded from Tomcat 6.0.16 to 6.0.18 to include the following security fixes -

For more details on each fix, please visit the Tomcat 6.x Security page.

JIRA: GERONIMO-4245
Affects: 2.1-2.1.2


Fixed in Geronimo 2.1.2

DWR

Upgraded from DWR 2.0.1 to 2.0.3 to include the following security fixes -

JIRA: GERONIMO-4116
Affects: 2.1-2.1.1

Tomcat

Upgraded from Tomcat 6.0.14 to 6.0.16 to include the following security fixes -

For more details on each fix, please visit the Tomcat 6.x Security page.

JIRA: GERONIMO-4085
Affects: 2.1-2.1.1


Fixed in Geronimo 2.1.1

None
   Delicious Bookmark this on Delicious    Digg! Digg this    Privacy Policy  -   Copyright © 2003-2009, The Apache Software Foundation, Licensed under ASL 2.0.