Geronimo 2.1.x Patch Instructions for CVE-2010-1632 and CVE-2010-2076

The Axis2 team has recently discovered a security vulnerability which may allow a remote attacker to launch a denial of service attack. It is also possible for the attacker to steal information from the machine which is running the web services. For more information on this security vulnerability please refer the following document:

• https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf

A similar vulnerability is found in the Apache CXF web services runtime as well. The CXF vulnerability is documented in the following document:

• https://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf

How is Apache Geronimo Affected?

Apache Geronimo includes both Apache Axis2 and Apache CXF as the web services runtimes.  As a result, web services running on Apache Geronimo are vulnerable to this security issue.

These issues have been fixed in Apache CXF v2.0.13 and the Axis2 and Axiom versions used by Apache Geronimo.

How can I avoid these vulnerabilities in Apache Geronimo v2.1.x?

It is recommended that you move to Apache Geronimo v2.1.6. Version 2.1.6 includes the fixes to this vulnerability.

If you wish to remain on an existing version of Geronimo, the installation can be patched to avoid the vulnerability or, if you are not using the web services support, you can explicitly disable the web services to remove the vulnerability. To disable the web services, make the following updates to <GERONIMO_HOME>/var/config/config.xml file:

1. Remove the condition attribute and add the load="false" attribute to org.apache.geronimo.configs/cxf-deployer//car module.
2. Remove the condition attribute and add the load="false" attribute to org.apache.geronimo.configs/axis2-deployer//car module.

Upgrading Axis2 and CXF on an existing server

Upgrading Axis2

Follow these steps if you are using Apache Axis2 as the web services runtime in Geronimo v2.1.x. By default, the Geronimo Tomcat assembly uses Axis2 as the web services runtime. These upgrade instructions can only work with the 2.1.4 and 2.1.5 versions of Apache Geronimo.  If you are using an earlier server release, an upgrade to a newer release is required.

• If your server is running stop the server.
• Make a backup of <GERONIMO_HOME>/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar and <GERONIMO_HOME>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar.
• Once done, delete the directories <GERONIMO_HOME>/repository/org/apache/axis2/axis2-kernel/1.3-G20090406 and <GERONIMO_HOME>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5.
• Download the jars http://www.apache.org/dist/geronimo/2.1.6/axis2-kernel-1.3-G20100610.jar and http://www.apache.org/dist/geronimo/2.1.6/axiom-api-1.2.5-20100610.jar
• Place the downloaded jars in the repository locations <GERONIMO_HOME>/repository/org/apache/axis2/axis2-kernel/1.3-G20100610/ and <GERONIMO_HOME>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5-G201100610/, respectively.
• Open the <GERONIMO_HOME>/var/config/artifact_aliases.properties in edit mode and add the following entries:

  org.apache.axis2/axis2-kernel//jar=org.apache.axis2/axis2-kernel/1.3-G20100610/jar
  org.apache.axis2/axis2-kernel/1.3-G20100610/jar=org.apache.axis2/axis2-kernel/1.3-G20100610/jar
  org.apache.ws.commons.axiom/axiom-api//jar = org.apache.ws.commons.axiom/axiom-api/1.2.5-20100610/jar
  org.apache.ws.commons.axiom/axiom-api/1.2.5/jar = org.apache.ws.commons.axiom/axiom-api/1.2.5-20100610/jar
  

• Start the server.

Upgrading CXF

Follow these steps if you are using Apache CXF as the web services runtime in Apache Geronimo v2.1.x. By default Geronimo Jetty assembly uses CXF as the web services runtime.

• If your server is running, stop the server.
• Make a backup of <GERONIMO_HOME>/repository/org/apache/cxf directory. Once done delete the directory <GERONIMO_HOME>/repository/org/apache/cxf.
• Download the 2.0.13 version of all jars present in the cxf repository directory from http://repo1.maven.org/maven2/org/apache/cxf/.  For example, cxf-common-utilities-2.0.13.jar can be downloaded from http://repo1.maven.org/maven2/org/apache/cxf/cxf-common-utilities/2.0.13/. The following jars are required:
  • http://repo1.maven.org/maven2/org/apache/cxf/cxf-api/2.0.13/cxf-api-2.0.13-jar
  • http://repo1.maven.org/maven2/org/apache/cxf/cxf-common-utilities/2.0.13/cxf-common-utilities-2.0.13-jar
  • http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-bindings-soap/2.0.13/cxf-rt-bindings-soap-2.0.13-jar
  • http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-bindings-xml/2.0.13/cxf-rt-bindings-xml-2.0.13-jar
  • http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-core/2.0.13/cxf-rt-core-2.0.13-jar
  • http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-databinding-jaxb/2.0.13/cxf-rt-databinding-jaxb-2.0.13-jar
  • http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-frontend-jaxws/2.0.13/cxf-rt-frontend-jaxws-2.0.13-jar
  • http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-frontend-simple/2.0.13/cxf-rt-frontend-simple-2.0.13-jar
  • http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-transports-http/2.0.13/cxf-rt-transports-http-2.0.13-jar
  • http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-common/2.0.13/cxf-tools-common-2.0.13-jar

• Copy all the jars according to the original repository directory, using the new version numbers. For example, copy cxf-common-utilities-2.0.13.jar to <GERONIMO_HOME>/repository/org/apache/cxf/cxf-common-utilities/2.0.13/
• Launch <GERONIMO_HOME>/var/config/artifact-aliases.properties in edit mode and add the following entries:

  org.apache.cxf/cxf-common-utilities//jar=org.apache.cxf/cxf-common-utilities/2.0.13/jar
  org.apache.cxf/cxf-common-utilities/2.0.12/jar=org.apache.cxf/cxf-common-utilities/2.0.13/jar
  org.apache.cxf/cxf-api//jar=org.apache.cxf/cxf-api/2.0.13/jar
  org.apache.cxf/cxf-api/2.0.12/jar=org.apache.cxf/cxf-api/2.0.13/jar
  org.apache.cxf/cxf-rt-bindings-soap//jar=org.apache.cxf/cxf-rt-bindings-soap/2.0.13/jar
  org.apache.cxf/cxf-rt-bindings-soap/2.0.12/jar=org.apache.cxf/cxf-rt-bindings-soap/2.0.13/jar
  org.apache.cxf/cxf-rt-bindings-xml//jar=org.apache.cxf/cxf-rt-bindings-xml/2.0.13/jar
  org.apache.cxf/cxf-rt-bindings-xml/2.0.12/jar=org.apache.cxf/cxf-rt-bindings-xml/2.0.13/jar
  org.apache.cxf/cxf-rt-core//jar=org.apache.cxf/cxf-rt-core/2.0.13/jar
  org.apache.cxf/cxf-rt-core/2.0.12/jar=org.apache.cxf/cxf-rt-core/2.0.13/jar
  org.apache.cxf/cxf-rt-databinding-jaxb//jar=org.apache.cxf/cxf-rt-databinding-jaxb/2.0.13/jar
  org.apache.cxf/cxf-rt-databinding-jaxb/2.0.12/jar=org.apache.cxf/cxf-rt-databinding-jaxb/2.0.13/jar
  org.apache.cxf/cxf-rt-frontend-jaxws//jar=org.apache.cxf/cxf-rt-frontend-jaxws/2.0.13/jar
  org.apache.cxf/cxf-rt-frontend-jaxws/2.0.12/jar=org.apache.cxf/cxf-rt-frontend-jaxws/2.0.13/jar
  org.apache.cxf/cxf-rt-frontend-simple//jar=org.apache.cxf/cxf-rt-frontend-simple/2.0.13/jar
  org.apache.cxf/cxf-rt-frontend-simple/2.0.12/jar=org.apache.cxf/cxf-rt-frontend-simple/2.0.13/jar
  org.apache.cxf/cxf-rt-transports-http//jar=org.apache.cxf/cxf-rt-transports-http/2.0.13/jar
  org.apache.cxf/cxf-rt-transports-http/2.0.12/jar=org.apache.cxf/cxf-rt-transports-http/2.0.13/jar
  org.apache.cxf/cxf-tools-common//jar=org.apache.cxf/cxf-tools-common/2.0.13/jar
  org.apache.cxf/cxf-tools-common/2.0.12/jar=org.apache.cxf/cxf-tools-common/2.0.13/jar
  

• Start the server