Geronimo 2.1.x Patch Instructions for CVE-2010-1632 and CVE-2010-2076
The Axis2 team has recently discovered a security vulnerability which may allow a remote attacker to launch a denial of service attack. It is also possible for the attacker to steal information from the machine which is running the web services. For more information on this security vulnerability please refer the following document:
A similar vulnerability is found in the Apache CXF web services runtime as well. The CXF vulnerability is documented in the following document:
How is Apache Geronimo Affected?
Apache Geronimo includes both Apache Axis2 and Apache CXF as the web services runtimes. As a result, web services running on Apache Geronimo are vulnerable to this security issue.
These issues have been fixed in Apache CXF v2.0.13 and the Axis2 and Axiom versions used by Apache Geronimo.
How can I avoid these vulnerabilities in Apache Geronimo v2.1.x?
It is recommended that you move to Apache Geronimo v2.1.6. Version 2.1.6 includes the fixes to this vulnerability.
If you wish to remain on an existing version of Geronimo, the installation can be patched to avoid the vulnerability or, if you are not using the web services support, you can explicitly disable the web services to remove the vulnerability. To disable the web services, make the following updates to <GERONIMO_HOME>/var/config/config.xml file:
- Remove the condition attribute and add the load="false" attribute to org.apache.geronimo.configs/cxf-deployer//car module.
- Remove the condition attribute and add the load="false" attribute to org.apache.geronimo.configs/axis2-deployer//car module.
Upgrading Axis2 and CXF on an existing server
Upgrading Axis2
Follow these steps if you are using Apache Axis2 as the web services runtime in Geronimo v2.1.x. By default, the Geronimo Tomcat assembly uses Axis2 as the web services runtime. These upgrade instructions can only work with the 2.1.4 and 2.1.5 versions of Apache Geronimo. If you are using an earlier server release, an upgrade to a newer release is required.
- If your server is running stop the server.
- Make a backup of <GERONIMO_HOME>/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar and <GERONIMO_HOME>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar.
- Once done, delete the directories <GERONIMO_HOME>/repository/org/apache/axis2/axis2-kernel/1.3-G20090406 and <GERONIMO_HOME>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5.
- Download the jars http://www.apache.org/dist/geronimo/2.1.6/axis2-kernel-1.3-G20100610.jar and http://www.apache.org/dist/geronimo/2.1.6/axiom-api-1.2.5-20100610.jar
- Place the downloaded jars in the repository locations <GERONIMO_HOME>/repository/org/apache/axis2/axis2-kernel/1.3-G20100610/ and <GERONIMO_HOME>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5-G201100610/, respectively.
- Open the <GERONIMO_HOME>/var/config/artifact_aliases.properties in edit mode and add the following entries:
- Start the server.
Upgrading CXF
Follow these steps if you are using Apache CXF as the web services runtime in Apache Geronimo v2.1.x. By default Geronimo Jetty assembly uses CXF as the web services runtime.
- Copy all the jars according to the original repository directory, using the new version numbers. For example, copy cxf-common-utilities-2.0.13.jar to <GERONIMO_HOME>/repository/org/apache/cxf/cxf-common-utilities/2.0.13/
- Launch <GERONIMO_HOME>/var/config/artifact-aliases.properties in edit mode and add the following entries: