Geronimo 2.1.x and Geronimo 2.2 Patch Instructions the Tomcat CVE-2010-2227 Vulnerability.

The Tomcat project has recently discovered a security vulnerability which may allow a remote denial of service attack or an information vulnerability exploit. For more information on this security vulnerability kindly refer the following document:

• http://www.securityfocus.com/archive/1/archive/1/512272/100/0/threaded

How is Apache Geronimo Affected?

Apache Geronimo uses the Tomcat component as one of the supported web containers for the Geronimo server. Servers configured with to use the Tomcat web container may be vulnerable to either of these exploits.

These issues have been fixed in the tomcat-parent-6.0.29 component used by Geronimo.

How can I avoid these vulnerabilities in Apache Geronimo?

If you wish to remain on an existing version of Geronimo, the installation can be patched to avoid the vulnerability. The following steps will upgrade the Tomcat libraries used by the server.

• If your server is running stop the server.
• Make a backup of the directory <G_HOME>/repository/org/apache/geronimo/ext/tomcat/. Once done, delete the directory <G_HOME>/repository/org/apache/geronimo/ext/tomcat.
• Download the 6.0.29 version of all jars present in the tomcat repository directory from http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/. For example, spring-beans-s.5.6.SEC02.jar can be downloaded from http://repo1.maven.org/maven2/org/springframework/spring-beans/2.5.6.SEC02/. The following jars are required:
  • http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/catalina/6.0.29/catalina-6.0.29.jar
  • http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/catalina-ha/6.0.29/catalina-ha-6.0.29.jar
  • http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/jasper/6.0.29/jasper-6.0.29.jar
  • http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/jasper-el/6.0.29/jasper-el-6.0.29.jar
  • http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/shared/6.0.29/shared-6.0.29.jar
  • http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/tribes/6.0.29/tribes-6.0.29.jar
  • http://repo1.maven.org/maven2/org/apache/geronimo/ext/tomcat/util/6.0.29/util-6.0.29.jar

• Copy all the jars according to the original repository directory structure. For example, copy catalina-6.0.29.jar to <G_HOME>/repository/org/apache/geronimo/ext/tomcat/catalina/6.0.29/.
• Open the <G_HOME>/var/config/artifact_aliases.properties in edit mode and add the following entries:

  org.apache.geronimo.ext.tomcat/catalina/6.0.26/jar=org.apache.geronimo.ext.tomcat/catalina/6.0.29/jar
  org.apache.geronimo.ext.tomcat/catalina-ha/6.0.26/jar=org.apache.geronimo.ext.tomcat/catalina-ha/6.0.29/jar
  org.apache.geronimo.ext.tomcat/jasper/6.0.26/jar=org.apache.geronimo.ext.tomcat/jasper/6.0.29/jar
  org.apache.geronimo.ext.tomcat/jasper-el/6.0.26/jar=org.apache.geronimo.ext.tomcat/jasper-el/6.0.29/jar
  org.apache.geronimo.ext.tomcat/shared/6.0.26/jar=org.apache.geronimo.ext.tomcat/shared/6.0.29/jar
  org.apache.geronimo.ext.tomcat/tribes/6.0.26/jar=org.apache.geronimo.ext.tomcat/tribes/6.0.29/jar
  org.apache.geronimo.ext.tomcat/util/6.0.26/jar=org.apache.geronimo.ext.tomcat/util/6.0.29/jar
  

• Start the server.