Edit Page
 Index > Community > Security Reports > 2.2.x Security Report > Geronimo 2.1.x and 2.2.x CVE-2010-2227 Apache Tomcat Remote Denial Of Service Patch Instructions User List | Dev List | Wiki | Issue Tracker  
  Overview
Home
Documentation
Downloads
News Archive
Project Management
License
Privacy Policy
ASF
  Search
Powered by Google Search
  Community
Events
Get Involved
Committers
Mailing Lists
Discussion Forums
Blog
IRC
FAQ
Wiki
Found a Bug?
Security Reports
Service and Support
ASF Sponsorship
ASF Thanks!
  Development
Javadoc
XML Schemas
Source Code
Coding Standards
Issue Tracker
Related Projects
Release Roadmaps
  Subprojects
Development Tools
Sample Applications
GBuild
GShell
XBean
Yoko
Java EE Specs
Components
Plugins
RSS News
RSS Site Changes
ATOM User Mailing List
ATOM Developer Mailing List

Geronimo 2.1.x and Geronimo 2.2 Patch Instructions the Tomcat CVE-2010-2227 Vulnerability.

The Tomcat project has recently discovered a security vulnerability which may allow a remote denial of service attack or an information vulnerability exploit. For more information on this security vulnerability kindly refer the following document:

How is Apache Geronimo Affected?

Apache Geronimo uses the Tomcat component as one of the supported web containers for the Geronimo server. Servers configured with to use the Tomcat web container may be vulnerable to either of these exploits.

These issues have been fixed in the tomcat-parent-6.0.29 component used by Geronimo.

How can I avoid these vulnerabilities in Apache Geronimo?

If you wish to remain on an existing version of Geronimo, the installation can be patched to avoid the vulnerability. The following steps will upgrade the Tomcat libraries used by the server.

  • Copy all the jars according to the original repository directory structure. For example, copy catalina-6.0.29.jar to <G_HOME>/repository/org/apache/geronimo/ext/tomcat/catalina/6.0.29/.
  • Open the <G_HOME>/var/config/artifact_aliases.properties in edit mode and add the following entries:
    org.apache.geronimo.ext.tomcat/catalina/6.0.26/jar=org.apache.geronimo.ext.tomcat/catalina/6.0.29/jar
    org.apache.geronimo.ext.tomcat/catalina-ha/6.0.26/jar=org.apache.geronimo.ext.tomcat/catalina-ha/6.0.29/jar
    org.apache.geronimo.ext.tomcat/jasper/6.0.26/jar=org.apache.geronimo.ext.tomcat/jasper/6.0.29/jar
    org.apache.geronimo.ext.tomcat/jasper-el/6.0.26/jar=org.apache.geronimo.ext.tomcat/jasper-el/6.0.29/jar
    org.apache.geronimo.ext.tomcat/shared/6.0.26/jar=org.apache.geronimo.ext.tomcat/shared/6.0.29/jar
    org.apache.geronimo.ext.tomcat/tribes/6.0.26/jar=org.apache.geronimo.ext.tomcat/tribes/6.0.29/jar
    org.apache.geronimo.ext.tomcat/util/6.0.26/jar=org.apache.geronimo.ext.tomcat/util/6.0.29/jar
    
  • Start the server.