2007-09-06
We have discovered a security vulnerability in Geronimo, where the management EJB (MEJB) allows unchallenged access to Geronimo internals.
As a temporary workaround you can modify the config.xml
to disable MEJB.
To disable MEJB make the following modifications to the configuration file at <geronimo_home>/var/config.xml
.
Excerpt from config.xml
.... <module name="org.apache.geronimo.configs/openejb/2.0.1/car"> <gbean name="EJBNetworkService"> ... </gbean> <gbean load="false" name="ejb/mgmt/MEJB"/> </module> ...
We will be releasing a new version soon to control access to MEJB in a more secure way. This issue will be tracked in JIRA GERONIMO-3456.