2.0.x Security Report

Apache Geronimo 2.0.x vulnerabilities

This page lists all security vulnerabilities fixed in maintenance releases or interim builds of Apache Geronimo 2.0. Each vulnerability is given a security impact rating by either the Apache Geronimo team or by the dependent project supplying the fix - please note that this rating is not uniform and will vary from project to project. We also list the versions of Apache Geronimo the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please send comments or corrections for these vulnerabilities to the Geronimo Security mailing list.

• Apache Geronimo 2.0.3-SNAPSHOT
• Apache Geronimo 2.0.2
• Apache Geronimo 2.0.1

Other Known Vulnerabilities

None at this time.

Fixed in Geronimo 2.0.3-SNAPSHOT build 20081119 or later

Please visit the 2.0.3 Release Status page for details on the expected content and target release date.

Geronimo Server

Included patch to close potential denial of service attack vector (OOM) in Tomcat session handling

JIRA: GERONIMO-3838
Affects: 2.0-2.0.2

Fixed in Geronimo 2.0.3-SNAPSHOT build 20080827 or later

ActiveMQ

Included ActiveMQ patch for the following security exposure -

• AMQ-1272 - Stomp protocol does not correctly check authentication (security hole)

JIRA: GERONIMO-4262
Affects: 2.0-2.0.2

DWR

Upgraded from DWR 1.1.3 to 1.1.4 include the following security fixes -

• DWR version 1.1.4 contains a number of security and bug fixes

JIRA: GERONIMO-4269
Affects: 2.0-2.0.2

Jetty

Upgraded from Jetty 6.1.5 to 6.1.7 to include the following security fixes -

• Fixed in 6.1.7 -
  • JETTY-386 CERT-553235 backout fix and replaced with ContextHandler.setCompactPath(boolean)
• Fixed in 6.1.6rc1 -
  • CERT VU#38616 handle single quotes in cookie names.
  • JETTY-452 CERT VU#237888 Dump Servlet - prevent cross site scripting
• Fixed in 6.1.6rc0 -
  • CVE-2007-5615 Added protection for response splitting with bad headers.

JIRA: GERONIMO-4268
Affects: 2.0-2.0.2

Tomcat

Upgraded from Tomcat 6.0.13 to 6.0.18 to include the following security fixes.

• Tomcat 6.0.18 -
  • low: Cross-site scripting CVE-2008-1232
  • low: Cross-site scripting CVE-2008-1947
  • important: Information disclosure CVE-2008-2370
  • moderate: Directory traversal CVE-2008-2938
• Tomcat 6.0.16 -
  • low: Session hi-jacking CVE-2007-5333
  • low: Elevated privileges CVE-2007-5342
  • important: Information disclosure CVE-2007-5461
  • important: Data integrity CVE-2007-6286
  • important: Information disclosure CVE-2008-0002
• Tomcat 6.0.14 -
  • low: Cross-site scripting CVE-2007-2449
  • low: Cross-site scripting CVE-2007-2450
  • low: Session hi-jacking CVE-2007-3382
  • low: Session hi-jacking CVE-2007-3385
  • low: Cross-site scripting CVE-2007-3386

For more details on each fix, please visit the Tomcat 6.x Security page.

JIRA: GERONIMO-4245
Affects: 2.0-2.0.2

Fixed in Geronimo 2.0.2

Fixed in Geronimo 2.0.1