Edit Page
 Index > Community > Security Reports > 2.2.x Security Report User List | Dev List | Wiki | Issue Tracker  
  Overview
Home
Documentation
Downloads
News Archive
Project Management
License
Privacy Policy
ASF
  Search
Powered by Google Search
  Community
Events
Get Involved
Committers
Mailing Lists
Discussion Forums
Blog
IRC
FAQ
Wiki
Found a Bug?
Security Reports
Service and Support
ASF Sponsorship
ASF Thanks!
  Development
Javadoc
XML Schemas
Source Code
Coding Standards
Issue Tracker
Related Projects
Release Roadmaps
  Subprojects
Development Tools
Sample Applications
GBuild
GShell
XBean
Yoko
Java EE Specs
Components
Plugins
RSS News
RSS Site Changes
ATOM User Mailing List
ATOM Developer Mailing List

Apache Geronimo 2.2.x vulnerabilities

This page lists all security vulnerabilities fixed in maintenance releases or interim builds of Apache Geronimo 2.2. Each vulnerability is given a security impact rating by either the Apache Geronimo team or by the dependent project supplying the fix - please note that this rating is not uniform and will vary from project to project. We also list the versions of Apache Geronimo the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please send comments or corrections for these vulnerabilities to the Geronimo Security mailing list.


Fixed in Geronimo 2.2.1

CVE-2011-5034 and CVE-2011-4858 - "multiple implementations denial-of-service via hash algorithm collision" have been fixed via GERONIMO-6253.

Please visit the 2.2.1 Release Notes page for details on all of the included JIRAs.

Geronimo Server:

CVE-2010-1632 and CVE-2010-2076: Axis2 and CXF HTTP binding enables DTD based XML attacks.

A vulnerability was found in both the Axis2 and CXF web services runtime that can allow an attacker to determine the presence of files on a target server and potentially extract the content of the target files. This affects all Geronimo assemblies that include the Axis2 or CXF runtimes, in particular, the javaee5 Jetty and Tomcat assemblies. Details of the vulnerabilities can be found in the following Axis2 and CXF security alerts:

The CXF vulnerabilities are fixed in CXF 2.1.10. The Axis2 vulnerability will be fixed in Axis2 1.5.2 and Axiom 1.2.9.

An alternative workaround, if you choose not to upgrade to Apache Geronimo 2.2.1, is to disable the web services runtime or manually patch the server with updated versions of the runtime. Instructions for disabling the web services runtime or patching an existing release can be found here:

JIRA: GERONIMO-5383
Affects: 2.2

Geronimo Server:

CVE-2010-1622: Spring Framework execution of arbitrary code

The Spring Framework provides a mechanism to use client provided data to update the properties of an object. This mechanism allows an attacker to modify the properties of the class loader used to load the object (via 'class.classloader'). This can lead to arbitrary command execution since, for example, an attacker can modify the URLs used by the class loader to point to locations controlled by the attacker. Details of this vulnerability can be found here:

At the current time, there are no known exposures in the Geronimo server due to this exploit, but applications using the included version of the Spring Framework may be vulnerable. Apache Geronimo 2.2.1 release included an upgrade to Spring Framework v2.5.6.SEC02 to fix this.

An alternative workaround, if you choose not to upgrade to Apache Geronimo 2.2.1, is to manually patch the server with the updated version of the Spring Framework. Instructions for patching an existing release can be found here:

JIRA: GERONIMO-5387
Affects: 2.2

Geronimo Server:

CVE-2010-2227: Apache Tomcat Remote Denial Of Service and Information Disclosure Vulnerability

The Tomcat web container contains a vulnerability that may expose the Geronimo server to remote denial of service attacks and potentially disclose information about applications running on the Geronimo server. Details of this vulnerability can be found here:

Apache Geronimo 2.2.1 release included an upgrade to Tomcat version 2.0.29 to fix this.

An alternative workaround, if you choose not to upgrade to Apache Geronimo 2.2.1, is to manually patch the server with the updated version of the Tomcat. Instructions for patching an existing release can be found here:

JIRA: GERONIMO-5387
Affects: 2.2