Edit Page
 Index > Community > Security Reports > 2.1.x Security Report > Geronimo 2.1.x CVE-2010-1632 Patch Instructions User List | Dev List | Wiki | Issue Tracker  
  Overview
Home
Documentation
Downloads
News Archive
Project Management
License
Privacy Policy
ASF
  Search
Powered by Google Search
  Community
Events
Get Involved
Committers
Mailing Lists
Discussion Forums
Blog
IRC
FAQ
Wiki
Found a Bug?
Security Reports
Service and Support
ASF Sponsorship
ASF Thanks!
  Development
Javadoc
XML Schemas
Source Code
Coding Standards
Issue Tracker
Related Projects
Release Roadmaps
  Subprojects
Development Tools
Sample Applications
GBuild
GShell
XBean
Yoko
Java EE Specs
Components
Plugins
RSS News
RSS Site Changes
ATOM User Mailing List
ATOM Developer Mailing List

Geronimo 2.1.x Patch Instructions for CVE-2010-1632 and CVE-2010-2076

The Axis2 team has recently discovered a security vulnerability which may allow a remote attacker to launch a denial of service attack. It is also possible for the attacker to steal information from the machine which is running the web services. For more information on this security vulnerability please refer the following document:

A similar vulnerability is found in the Apache CXF web services runtime as well. The CXF vulnerability is documented in the following document:

How is Apache Geronimo Affected?

Apache Geronimo includes both Apache Axis2 and Apache CXF as the web services runtimes.  As a result, web services running on Apache Geronimo are vulnerable to this security issue.

These issues have been fixed in Apache CXF v2.0.13 and the Axis2 and Axiom versions used by Apache Geronimo.

How can I avoid these vulnerabilities in Apache Geronimo v2.1.x?

It is recommended that you move to Apache Geronimo v2.1.6. Version 2.1.6 includes the fixes to this vulnerability.

If you wish to remain on an existing version of Geronimo, the installation can be patched to avoid the vulnerability or, if you are not using the web services support, you can explicitly disable the web services to remove the vulnerability. To disable the web services, make the following updates to <GERONIMO_HOME>/var/config/config.xml file:

  1. Remove the condition attribute and add the load="false" attribute to org.apache.geronimo.configs/cxf-deployer//car module.
  2. Remove the condition attribute and add the load="false" attribute to org.apache.geronimo.configs/axis2-deployer//car module.

Upgrading Axis2 and CXF on an existing server

Upgrading Axis2

Follow these steps if you are using Apache Axis2 as the web services runtime in Geronimo v2.1.x. By default, the Geronimo Tomcat assembly uses Axis2 as the web services runtime. These upgrade instructions can only work with the 2.1.4 and 2.1.5 versions of Apache Geronimo.  If you are using an earlier server release, an upgrade to a newer release is required.

  • If your server is running stop the server.
  • Make a backup of <GERONIMO_HOME>/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar and <GERONIMO_HOME>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar.
  • Once done, delete the directories <GERONIMO_HOME>/repository/org/apache/axis2/axis2-kernel/1.3-G20090406 and <GERONIMO_HOME>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5.
  • Download the jars http://www.apache.org/dist/geronimo/2.1.6/axis2-kernel-1.3-G20100610.jar and http://www.apache.org/dist/geronimo/2.1.6/axiom-api-1.2.5-20100610.jar
  • Place the downloaded jars in the repository locations <GERONIMO_HOME>/repository/org/apache/axis2/axis2-kernel/1.3-G20100610/ and <GERONIMO_HOME>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5-G201100610/, respectively.
  • Open the <GERONIMO_HOME>/var/config/artifact_aliases.properties in edit mode and add the following entries:
    org.apache.axis2/axis2-kernel//jar=org.apache.axis2/axis2-kernel/1.3-G20100610/jar
    org.apache.axis2/axis2-kernel/1.3-G20100610/jar=org.apache.axis2/axis2-kernel/1.3-G20100610/jar
    org.apache.ws.commons.axiom/axiom-api//jar = org.apache.ws.commons.axiom/axiom-api/1.2.5-20100610/jar
    org.apache.ws.commons.axiom/axiom-api/1.2.5/jar = org.apache.ws.commons.axiom/axiom-api/1.2.5-20100610/jar
    
  • Start the server.

Upgrading CXF

Follow these steps if you are using Apache CXF as the web services runtime in Apache Geronimo v2.1.x. By default Geronimo Jetty assembly uses CXF as the web services runtime.

  • Copy all the jars according to the original repository directory, using the new version numbers. For example, copy cxf-common-utilities-2.0.13.jar to <GERONIMO_HOME>/repository/org/apache/cxf/cxf-common-utilities/2.0.13/
  • Launch <GERONIMO_HOME>/var/config/artifact-aliases.properties in edit mode and add the following entries:
    org.apache.cxf/cxf-common-utilities//jar=org.apache.cxf/cxf-common-utilities/2.0.13/jar
    org.apache.cxf/cxf-common-utilities/2.0.12/jar=org.apache.cxf/cxf-common-utilities/2.0.13/jar
    org.apache.cxf/cxf-api//jar=org.apache.cxf/cxf-api/2.0.13/jar
    org.apache.cxf/cxf-api/2.0.12/jar=org.apache.cxf/cxf-api/2.0.13/jar
    org.apache.cxf/cxf-rt-bindings-soap//jar=org.apache.cxf/cxf-rt-bindings-soap/2.0.13/jar
    org.apache.cxf/cxf-rt-bindings-soap/2.0.12/jar=org.apache.cxf/cxf-rt-bindings-soap/2.0.13/jar
    org.apache.cxf/cxf-rt-bindings-xml//jar=org.apache.cxf/cxf-rt-bindings-xml/2.0.13/jar
    org.apache.cxf/cxf-rt-bindings-xml/2.0.12/jar=org.apache.cxf/cxf-rt-bindings-xml/2.0.13/jar
    org.apache.cxf/cxf-rt-core//jar=org.apache.cxf/cxf-rt-core/2.0.13/jar
    org.apache.cxf/cxf-rt-core/2.0.12/jar=org.apache.cxf/cxf-rt-core/2.0.13/jar
    org.apache.cxf/cxf-rt-databinding-jaxb//jar=org.apache.cxf/cxf-rt-databinding-jaxb/2.0.13/jar
    org.apache.cxf/cxf-rt-databinding-jaxb/2.0.12/jar=org.apache.cxf/cxf-rt-databinding-jaxb/2.0.13/jar
    org.apache.cxf/cxf-rt-frontend-jaxws//jar=org.apache.cxf/cxf-rt-frontend-jaxws/2.0.13/jar
    org.apache.cxf/cxf-rt-frontend-jaxws/2.0.12/jar=org.apache.cxf/cxf-rt-frontend-jaxws/2.0.13/jar
    org.apache.cxf/cxf-rt-frontend-simple//jar=org.apache.cxf/cxf-rt-frontend-simple/2.0.13/jar
    org.apache.cxf/cxf-rt-frontend-simple/2.0.12/jar=org.apache.cxf/cxf-rt-frontend-simple/2.0.13/jar
    org.apache.cxf/cxf-rt-transports-http//jar=org.apache.cxf/cxf-rt-transports-http/2.0.13/jar
    org.apache.cxf/cxf-rt-transports-http/2.0.12/jar=org.apache.cxf/cxf-rt-transports-http/2.0.13/jar
    org.apache.cxf/cxf-tools-common//jar=org.apache.cxf/cxf-tools-common/2.0.13/jar
    org.apache.cxf/cxf-tools-common/2.0.12/jar=org.apache.cxf/cxf-tools-common/2.0.13/jar
    
  • Start the server