Index > Community > Security Reports > 2.1.x Security Report | User List | Dev List | Wiki | Issue Tracker |
|
Apache Geronimo 2.1.x vulnerabilitiesThis page lists all security vulnerabilities fixed in maintenance releases or interim builds of Apache Geronimo 2.1. Each vulnerability is given a security impact rating by either the Apache Geronimo team or by the dependent project supplying the fix - please note that this rating is not uniform and will vary from project to project. We also list the versions of Apache Geronimo the flaw is known to affect, and where a flaw has not been verified list the version with a question mark. Please send comments or corrections for these vulnerabilities to the Geronimo Security mailing list.
Other Known VulnerabilitiesNone at this time. Fixed in Geronimo 2.1.8Please visit the 2.1.8 Release Notes page for details on all of the included JIRAs. Geronimo Server:Upgraded from Tomcat 6.0.29 to 6.0.35 to include the following security fixesFixed in Apache Tomcat 6.0.35
Fixed in Apache Tomcat 6.0.33
Fixed in Apache Tomcat 6.0.32
Fixed in Apache Tomcat 6.0.30
Fixed in Geronimo 2.1.7Please visit the 2.1.7 Release Notes page for details on all of the included JIRAs. Geronimo Server:CVE-2010-2227: Apache Tomcat Remote Denial Of Service and Information Disclosure VulnerabilityThe Tomcat web container contains a vulnerability that may expose the Geronimo server to remote denial of service attacks and potentially disclose information about applications running on the Geronimo server. Details of this vulnerability can be found here: An alternative workaround, if you choose not to upgrade to Apache Geronimo 2.1.7, is to manually patch the server with the updated version of the Tomcat. Instructions for patching an existing release can be found here: JIRA: GERONIMO-5387 Fixed in Geronimo 2.1.6Please visit the 2.1.6 Release Notes page for details on all of the included JIRAs. Geronimo Server:CVE-2010-1632 and CVE-2010-2076: Axis2 and CXF HTTP binding enables DTD based XML attacks.A vulnerability was found in both the Axis2 and CXF web services runtime that can allow an attacker to determine the presence of files on a target server and potentially extract the content of the target files. This affects all Geronimo assemblies that include the Axis2 or CXF runtimes, in particular, the javaee5 Jetty and Tomcat assemblies. Details of the vulnerabilities can be found in the following Axis2 and CXF security alerts:
The Apache Geronimo 2.1.6 release includes patches to Axis2 1.3 and Axiom 1.2.5 and an upgrade to CXF 2.1.13. An alternative workaround, if you choose not to upgrade to Apache Geronimo 2.1.6, is to disable the web services runtime or manually patch the server with updated versions of the runtime. Instructions for disabling the web services runtime or patching an existing release can be found here: JIRA: GERONIMO-5383 Geronimo Server:CVE-2010-1622: Spring Framework execution of arbitrary codeThe Spring Framework provides a mechanism to use client provided data to update the properties of an object. This mechanism allows an attacker to modify the properties of the class loader used to load the object (via 'class.classloader'). This can lead to arbitrary command execution since, for example, an attacker can modify the URLs used by the class loader to point to locations controlled by the attacker. Details of this vulnerability can be found here: The Apache Geronimo 2.1.6 release includes an upgrade to Spring Framework v2.5.6.SEC02. At the current time, there are no known exposures in the Geronimo server due to this exploit, but applications using the included version of the Spring Framework may be vulnerable. An alternative workaround, if you choose not to upgrade to Apache Geronimo 2.1.6, is to manually patch the server with the updated version of the Spring Framework. Instructions for patching an existing release can be found here: JIRA: GERONIMO-5387 Fixed in Geronimo 2.1.5Please visit the 2.1.5 Release Notes page for details on all of the included JIRAs. Fixed in Geronimo 2.1.4Please visit the 2.1.4 Release Notes page for details on all of the included JIRAs. Geronimo ServerIncluded patch to close potential denial of service attack vector (OOM) in Tomcat session handling JIRA: GERONIMO-3838 Geronimo Admin Console:CVE-2008-5518: Apache Geronimo web administration console directory traversal vulnerabilities.A vulnerability was found in several portlets including Services/Repository, Embedded DB/DB Manager, and Security/Keystores when running the Apache Geronimo server on Windows. This issue may allow a remote attacker to upload any file in any directory. This affects all full JavaEE Geronimo assemblies or other distributions which include the administration web console up to and including Apache Geronimo 2.1.3. An alternative workaround (if you choose to not upgrade to Apache Geronimo 2.1.4) would be to stop or undeploy the administration web console application in the server. JIRA: GERONIMO-4597 CVE-2009-0038: Apache Geronimo web administration console XSS vulnerabilitiesVarious linked and stored cross-site scripting (XSS) vulnerabilities were found in the Apache Geronimo administrative console and related utilities. Using this vulnerability an attacker can steal an administrator's cookie and then authenticate as administrator or perform certain administrative actions. For example, a user can inject XSS in some URLs or in several input fields in various portlets. This affects all full JavaEE Geronimo assemblies or other distributions which include the administration web console up to and including Apache Geronimo 2.1.3. An alternative workaround (if you choose to not upgrade to Apache Geronimo 2.1.4) would be to stop or undeploy the administration web console application in the server. JIRA: GERONIMO-4597 CVE-2009-0039: Apache Geronimo web administration console XSRF vulnerabilitiesVarious cross-site request forgery (XSRF or CSRF) vulnerabilities were identified in the Apache Geronimo web administration console. Exploiting these issues may allow a remote attacker to perform certain administrative actions, e.g. change web administration password, upload applications, etc... using predictable URL requests once the user has authenticated and obtained a valid session with the server. This affects all full JavaEE Geronimo assemblies or other distributions which include the administration web console up to and including Apache Geronimo 2.1.3. An alternative workaround (if you choose to not upgrade to Apache Geronimo 2.1.4) would be to stop or undeploy the administration web console application in the server. JIRA: GERONIMO-4597 Fixed in Geronimo 2.1.3Please visit the 2.1.3 Release Notes page for details on all of the included JIRAs. DWRUpgraded from DWR 2.0.3 to 2.0.5 to include the following security fixes -
JIRA: GERONIMO-4266 ActiveMQIncluded ActiveMQ patch for the following security exposure -
JIRA: GERONIMO-4262 TomcatUpgraded from Tomcat 6.0.16 to 6.0.18 to include the following security fixes -
For more details on each fix, please visit the Tomcat 6.x Security page. JIRA: GERONIMO-4245 Fixed in Geronimo 2.1.2DWRUpgraded from DWR 2.0.1 to 2.0.3 to include the following security fixes - JIRA: GERONIMO-4116 TomcatUpgraded from Tomcat 6.0.14 to 6.0.16 to include the following security fixes -
For more details on each fix, please visit the Tomcat 6.x Security page. JIRA: GERONIMO-4085 Fixed in Geronimo 2.1.1None |
Bookmark this on Delicious Digg this | Privacy Policy - Copyright © 2003-2013, The Apache Software Foundation, Licensed under ASL 2.0. |