|Index > Community > Security Reports > 2.2.x Security Report||User List | Dev List | Wiki | Issue Tracker|
Apache Geronimo 2.2.x vulnerabilities
This page lists all security vulnerabilities fixed in maintenance releases or interim builds of Apache Geronimo 2.2. Each vulnerability is given a security impact rating by either the Apache Geronimo team or by the dependent project supplying the fix - please note that this rating is not uniform and will vary from project to project. We also list the versions of Apache Geronimo the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.
Please send comments or corrections for these vulnerabilities to the Geronimo Security mailing list.
Fixed in Geronimo 2.2.1
CVE-2011-5034 and CVE-2011-4858 - "multiple implementations denial-of-service via hash algorithm collision" have been fixed via GERONIMO-6253.
Please visit the 2.2.1 Release Notes page for details on all of the included JIRAs.
CVE-2010-1632 and CVE-2010-2076: Axis2 and CXF HTTP binding enables DTD based XML attacks.
A vulnerability was found in both the Axis2 and CXF web services runtime that can allow an attacker to determine the presence of files on a target server and potentially extract the content of the target files. This affects all Geronimo assemblies that include the Axis2 or CXF runtimes, in particular, the javaee5 Jetty and Tomcat assemblies. Details of the vulnerabilities can be found in the following Axis2 and CXF security alerts:
The CXF vulnerabilities are fixed in CXF 2.1.10. The Axis2 vulnerability will be fixed in Axis2 1.5.2 and Axiom 1.2.9.
An alternative workaround, if you choose not to upgrade to Apache Geronimo 2.2.1, is to disable the web services runtime or manually patch the server with updated versions of the runtime. Instructions for disabling the web services runtime or patching an existing release can be found here:
CVE-2010-1622: Spring Framework execution of arbitrary code
The Spring Framework provides a mechanism to use client provided data to update the properties of an object. This mechanism allows an attacker to modify the properties of the class loader used to load the object (via 'class.classloader'). This can lead to arbitrary command execution since, for example, an attacker can modify the URLs used by the class loader to point to locations controlled by the attacker. Details of this vulnerability can be found here:
At the current time, there are no known exposures in the Geronimo server due to this exploit, but applications using the included version of the Spring Framework may be vulnerable. Apache Geronimo 2.2.1 release included an upgrade to Spring Framework v2.5.6.SEC02 to fix this.
An alternative workaround, if you choose not to upgrade to Apache Geronimo 2.2.1, is to manually patch the server with the updated version of the Spring Framework. Instructions for patching an existing release can be found here:
CVE-2010-2227: Apache Tomcat Remote Denial Of Service and Information Disclosure Vulnerability
The Tomcat web container contains a vulnerability that may expose the Geronimo server to remote denial of service attacks and potentially disclose information about applications running on the Geronimo server. Details of this vulnerability can be found here:
Apache Geronimo 2.2.1 release included an upgrade to Tomcat version 2.0.29 to fix this.
An alternative workaround, if you choose not to upgrade to Apache Geronimo 2.2.1, is to manually patch the server with the updated version of the Tomcat. Instructions for patching an existing release can be found here: