Edit Page
 Index > Community > Security Reports > 2.2.x Security Report > Geronimo 2.2.x CVE-2010-1632 Patch Instructions User List | Dev List | Wiki | Issue Tracker  
  Overview
Home
Documentation
Downloads
News Archive
Project Management
License
Privacy Policy
ASF
  Search
Powered by Google Search
  Community
Events
Get Involved
Committers
Mailing Lists
Discussion Forums
Blog
IRC
FAQ
Wiki
Found a Bug?
Security Reports
Service and Support
ASF Sponsorship
ASF Thanks!
  Development
Javadoc
XML Schemas
Source Code
Coding Standards
Issue Tracker
Related Projects
Release Roadmaps
  Subprojects
Development Tools
Sample Applications
GBuild
GShell
XBean
Yoko
Java EE Specs
Components
Plugins
RSS News
RSS Site Changes
ATOM User Mailing List
ATOM Developer Mailing List

Geronimo 2.1.x Patch Instructions for CVE-2010-1632 and CVE-2010-2076

The Axis2 team has recently discovered a security vulnerability which may allow a remote attacker to launch a denial of service attack. It is also possible for the attacker to steal information from the machine which is running the web services. For more information on this security vulnerability please refer the following document:

A similar vulnerability is found in the Apache CXF web services runtime as well. The CXF vulnerability is documented in the following document:

How is Apache Geronimo Affected?

Apache Geronimo includes Apache Axis2 and Apache CXF as the web services runtimes. As a result, web services running on Apache Geronimo are vulnerable to this security issue.

These issues have been fixed in Apache CXF v2.1.10, Apache Axis2 v1.5.2, and Axiom v1.2.9.

How can I avoid these vulnerabilities in Apache Geronimo?

These vulnerabilities will be fixed in a future Geronimo v2.2.1 release. Until the new releases are available, the web services support can be disabled or the release can be patched with updated axis2 and axiom components.

If you are not using the web services support, you can explicitly disable the web services to remove the vulnerability. To disable all web services, make the following
updates to <GERONIMO_HOME>/var/config/config.xml file:

  1. Remove the condition attribute and add the load="false" attribute to org.apache.geronimo.configs/cxf-deployer//car module.
  2. Remove the condition attribute and add the load="false" attribute to org.apache.geronimo.configs/axis2-deployer//car module.

If you still require web services access, the following steps will upgrade the Axis2 and CXF versions used by the server.

Upgrading Axis2 and CXF on an existing server

Upgrading Axis2

Follow these steps if you are using Apache Axis2 as the web services runtime in Geronimo v2.2. By default, the Geronimo Tomcat assembly uses Axis2 as the web services runtime.

This vulnerability is fixed in the axiom 1.2.9 and axis2 1.5.2 releases. Patching the Geronimo server requires replacing these components in the server repository.

  • Open the <GERONIMO_HOME>/var/config/artifact_aliases.properties in edit mode and add the following entries:
                
    org.apache.axis2/axis2-jaxws/1.5/jar=org.apache.axis2/axis2-jaxws/1.5.2-r952842/jar
    org.apache.axis2/axis2-kernel/1.5/jar=org.apache.axis2/axis2-kernel/1.5.2-r952842/jar
    org.apache.axis2/axis2-metadata/1.5/jar=org.apache.axis2/axis2-metadata/1.5.2-r952842/jar
    org.apache.axis2/axis2-saaj/1.5/jar=org.apache.axis2/axis2-saaj/1.5.2-r952842/jar
    org.apache.axis2/axis2-transport-http/1.5/jar=org.apache.axis2/axis2-transport-http/1.5.2-r952842/jar
    org.apache.axis2/axis2-transport-local/1.5/jar=org.apache.axis2/axis2-transport-local/1.5.2-r952842/jar
    org.apache.axis2/axis2-jaxws//jar=org.apache.axis2/axis2-jaxws/1.5.2-r952842/jar
    org.apache.axis2/axis2-kernel//jar=org.apache.axis2/axis2-kernel/1.5.2-r952842/jar
    org.apache.axis2/axis2-metadata//jar=org.apache.axis2/axis2-metadata/1.5.2-r952842/jar
    org.apache.axis2/axis2-saaj//jar=org.apache.axis2/axis2-saaj/1.5.2-r952842/jar
    org.apache.axis2/axis2-transport-http//jar=org.apache.axis2/axis2-transport-http/1.5.2-r952842/jar
    org.apache.axis2/axis2-transport-local//jar=org.apache.axis2/axis2-transport-local/1.5.2-r952842/jar
    org.apache.ws.commons.axiom/axiom-api/1.2.8/jar=org.apache.ws.commons.axiom/axiom-api/1.2.9/jar
    org.apache.ws.commons.axiom/axiom-dom/1.2.8/jar=org.apache.ws.commons.axiom/axiom-dom/1.2.9/jar
    org.apache.ws.commons.axiom/axiom-impl/1.2.8/jar=org.apache.ws.commons.axiom/axiom-impl/1.2.9/jar
    org.apache.ws.commons.axiom/axiom-api//jar=org.apache.ws.commons.axiom/axiom-api/1.2.9/jar
    org.apache.ws.commons.axiom/axiom-dom//jar=org.apache.ws.commons.axiom/axiom-dom/1.2.9/jar
    org.apache.ws.commons.axiom/axiom-impl//jar=org.apache.ws.commons.axiom/axiom-impl/1.2.9/jar
    
  • Start the server.

Upgrading CXF

Follow these steps if you are using Apache CXF as the web services runtime in Apache Geronimo v2.2. By default, the Geronimo Jetty assembly uses CXF as the web services runtime.

  • Copy all the jars according to the original repository directory structure. For example, copy cxf-common-utilities-2.1.10.jar to <GERONIMO_HOME>/repository/org/apache/cxf/cxf-common-utilities/2.1.10/
  • Launch <GERONIMO_HOME>/var/config/artifact-aliases.properties in edit mode and add the following entries:
                
    org.apache.cxf/cxf-api/2.1.4/jar=org.apache.cxf/cxf-api/2.1.10/jar
    org.apache.cxf/cxf-common-schemas/2.1.4/jar=org.apache.cxf/cxf-common-schemas/2.1.10/jar
    org.apache.cxf/cxf-common-utilities/2.1.4/jar=org.apache.cxf/cxf-common-utilities/2.1.10/jar
    org.apache.cxf/cxf-rt-bindings-soap/2.1.4/jar=org.apache.cxf/cxf-rt-bindings-soap/2.1.10/jar
    org.apache.cxf/cxf-rt-bindings-xml/2.1.4/jar=org.apache.cxf/cxf-rt-bindings-xml/2.1.10/jar
    org.apache.cxf/cxf-rt-core/2.1.4/jar=org.apache.cxf/cxf-rt-core/2.1.10/jar
    org.apache.cxf/cxf-rt-databinding-jaxb/2.1.4/jar=org.apache.cxf/cxf-rt-databinding-jaxb/2.1.10/jar
    org.apache.cxf/cxf-rt-frontend-jaxws/2.1.4/jar=org.apache.cxf/cxf-frontend-jaxws/2.1.10/jar
    org.apache.cxf/cxf-rt-frontend-simple/2.1.4/jar=org.apache.cxf/cxf-frontend-simple/2.1.10/jar
    org.apache.cxf/cxf-rt-transports-http/2.1.4/jar=org.apache.cxf/cxf-transports-http/2.1.10/jar
    org.apache.cxf/cxf-rt-ws-addr/2.1.4/jar=org.apache.cxf/cxf-rt-ws-addr/2.1.10/jar
    org.apache.cxf/cxf-rt-ws-security/2.1.4/jar=org.apache.cxf/cxf-rt-ws-security/2.1.10/jar
    org.apache.cxf/cxf-tools-common/2.1.4/jar=org.apache.cxf/cxf-tools-common/2.1.10/jar
    org.apache.cxf/cxf-tools-java2ws/2.1.4/jar=org.apache.cxf/cxf-tools-java2ws/2.1.10/jar
    org.apache.cxf/cxf-tools-validator/2.1.4/jar=org.apache.cxf/cxf-tools-validator/2.1.10/jar
    org.apache.cxf/cxf-tools-wsdlto-core/2.1.4/jar=org.apache.cxf/cxf-tools-wsdlto-core/2.1.10/jar
    org.apache.cxf/cxf-tools-wsdlto-databinding-jaxb/2.1.4/jar=org.apache.cxf/cxf-tools-wsdlto-databinding-jaxb/2.1.10/jar
    org.apache.cxf/cxf-tools-wsdlto-frontend-jaxws/2.1.4/jar=org.apache.cxf/cxf-tools-wsdlto-frontend-jaxws/2.1.10/jar
    org.apache.cxf/cxf-api//jar=org.apache.cxf/cxf-api/2.1.10/jar
    org.apache.cxf/cxf-common-schemas//jar=org.apache.cxf/cxf-common-schemas/2.1.10/jar
    org.apache.cxf/cxf-common-utilities//jar=org.apache.cxf/cxf-common-utilities/2.1.10/jar
    org.apache.cxf/cxf-rt-bindings-soap//jar=org.apache.cxf/cxf-rt-bindings-soap/2.1.10/jar
    org.apache.cxf/cxf-rt-bindings-xml//jar=org.apache.cxf/cxf-rt-bindings-xml/2.1.10/jar
    org.apache.cxf/cxf-rt-core//jar=org.apache.cxf/cxf-rt-core/2.1.10/jar
    org.apache.cxf/cxf-rt-databinding-jaxb//jar=org.apache.cxf/cxf-rt-databinding-jaxb/2.1.10/jar
    org.apache.cxf/cxf-rt-frontend-jaxws//jar=org.apache.cxf/cxf-frontend-jaxws/2.1.10/jar
    org.apache.cxf/cxf-rt-frontend-simple//jar=org.apache.cxf/cxf-frontend-simple/2.1.10/jar
    org.apache.cxf/cxf-rt-transports-http//jar=org.apache.cxf/cxf-transports-http/2.1.10/jar
    org.apache.cxf/cxf-rt-ws-addr//jar=org.apache.cxf/cxf-rt-ws-addr/2.1.10/jar
    org.apache.cxf/cxf-rt-ws-security//jar=org.apache.cxf/cxf-rt-ws-security/2.1.10/jar
    org.apache.cxf/cxf-tools-common//jar=org.apache.cxf/cxf-tools-common/2.1.10/jar
    org.apache.cxf/cxf-tools-java2ws//jar=org.apache.cxf/cxf-tools-java2ws/2.1.10/jar
    org.apache.cxf/cxf-tools-validator//jar=org.apache.cxf/cxf-tools-validator/2.1.10/jar
    org.apache.cxf/cxf-tools-wsdlto-core//jar=org.apache.cxf/cxf-tools-wsdlto-core/2.1.10/jar
    org.apache.cxf/cxf-tools-wsdlto-databinding-jaxb//jar=org.apache.cxf/cxf-tools-wsdlto-databinding-jaxb/2.1.10/jar
    org.apache.cxf/cxf-tools-wsdlto-frontend-jaxws//jar=org.apache.cxf/cxf-tools-wsdlto-frontend-jaxws/2.1.10/jar
    
  • Start the server