Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.0-M1, 3.0.0, 3.0-beta-1
    • Fix Version/s: 3.0.1
    • Component/s: core
    • Security Level: public (Regular issues)
    • Labels:
      None

      Description

      A misconfigured RMI classloader in Apache Geronimo 3.0 may enable an attacker to send a serialized object via JMX that could compromise the system.

        Activity

        Hide
        Jarek Gawor added a comment -

        Remote exploits can be prevented by hiding the naming (1099) and JMX (9999) ports behind a firewall or binding the ports to a local network interface.

        Fix for this issue was committed in revision 1458113.

        Show
        Jarek Gawor added a comment - Remote exploits can be prevented by hiding the naming (1099) and JMX (9999) ports behind a firewall or binding the ports to a local network interface. Fix for this issue was committed in revision 1458113.
        Hide
        Jarek Gawor added a comment -

        CVE-2013-1777 was assigned for this issue.

        The original issue was discovered by Pierre Ernst of IBM Canada Ltd.

        Show
        Jarek Gawor added a comment - CVE-2013-1777 was assigned for this issue. The original issue was discovered by Pierre Ernst of IBM Canada Ltd.

          People

          • Assignee:
            Jarek Gawor
            Reporter:
            Jarek Gawor
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development