Geronimo 2.1.x and Geronimo 2.2 Patch Instructions for Spring Framework SEC02 Vulnerability.

The Spring Framework project has recently discovered a security vulnerability which may allow a remote attacker to inject malicious code into an application that is using the Spring Framework. For more information on this security vulnerability kindly refer the following document:

• http://www.securityfocus.com/archive/1/511877/30/0/threaded

How is Apache Geronimo Affected?

Apache Geronimo uses the Spring Framework to implement some functions in the ActiveMQ console and the vulnerable Spring libraries are included in the Geronimo jar repository. It is not believed that the console application is vulnerable to this attack, but any application that is using the included version of the Spring framework might be. Users are advised to update the version of the Spring libraries to remove the chance that this exploit can be used.

These issues have been fixed in Spring Framework version 2.5.6.SEC02.

How can I avoid these vulnerabilities in Apache Geronimo?

It is recommended that you move to Apache Geronimo v2.1.6 or v2.2.1. These versions include the updated Spring libraries.

If you wish to remain on an existing version of Geronimo, the installation can be patched to avoid the vulnerability. The following steps will upgrade the Spring framework libraries used by the server.

• If your server is running stop the server.
• Make a backup of the directory <G_HOME>/repository/org/springframework/. Once done, delete the directory <G_HOME>/repository/org/springframe/
• Download the 2.5.6.SEC02 version of all jars present in the springframework repository directory from http://repo1.maven.org/maven2/org/springframework/. For example, spring-beans-s.5.6.SEC02.jar can be downloaded from http://repo1.maven.org/maven2/org/springframework/spring-beans/2.5.6.SEC02/. The following jars are required:
  • http://repo1.maven.org/maven2/org/springframework/spring-context/2.5.6.SEC02/spring-beans-2.5.6.SEC02.jar
  • http://repo1.maven.org/maven2/org/springframework/spring-context/2.5.6.SEC02/spring-context-2.5.6.SEC02.jar
  • http://repo1.maven.org/maven2/org/springframework/spring-core/2.5.6.SEC02/spring-core-2.5.6.SEC02.jar
  • http://repo1.maven.org/maven2/org/springframework/spring-web/2.5.6.SEC02/spring-web-2.5.6.SEC02.jar

• Copy all the jars according to the original repository directory structure. For example, copy spring-beans-2.5.6.SEC02.jar to <G_HOME>/repository/org/springframework/spring-beans/2.5.6-SEC02
• Open the <G_HOME>/var/config/artifact_aliases.properties in edit mode and add the following entries:

  org.springframework/spring-beans/2.5.6/jar=org.springframework/spring-beans/2.5.6-SEC02/jar
  org.springframework/spring-context/2.5.6/jar=org.springframework/spring-context/2.5.6-SEC02/jar
  org.springframework/spring-core/2.5.6/jar=org.springframework/spring-core/2.5.6-SEC02/jar
  org.springframework/spring-web/2.5.6/jar=org.springframework/spring-web/2.5.6-SEC02/jar
  

• Start the server.