Summary: | JBoss 3.2.1 and 3.0.8 vulnerabilty | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Carsten Lohrke (RETIRED) <carlo> |
Component: | Vulnerabilities | Assignee: | Matthew Kennedy (RETIRED) <mkennedy> |
Status: | RESOLVED FIXED | ||
Severity: | blocker | CC: | absinthe, carlo, java, mkennedy, security, seemant |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Carsten Lohrke (RETIRED)
2003-10-07 04:52:57 UTC
Java team Can we correct this? here is the fix ----------------------------------------- The default configuration of the hsqldb service allows for interaction with the database over TCP/IP and can enable arbitary code to be executed if the default username/password has not be changed. JBoss does not need the socket based access mode so one can disable this through two changes to the deploy/hsqldb-ds.xml configuration. First, change: <!-- for tcp connection, allowing other processes to use the hsqldb database --> <connection-url>jdbc:hsqldb:hsql://localhost:1701</connection-url> to: <!-- for in-process db with file store, saved when jboss stops. The org.jboss.jdbc.HypersonicDatabase is unnecessary --> <connection-url>jdbc:hsqldb:localDB</connection-url> Next, comment out or remove this section: <!-- this mbean should be used only when using tcp connections --> <mbean code="org.jboss.jdbc.HypersonicDatabase" name="jboss:service=Hypersonic"> <attribute name="Port">1701</attribute> <attribute name="Silent">true</attribute> <attribute name="Database">default</attribute> <attribute name="Trace">false</attribute> <attribute name="No_system_exit">true</attribute> </mbean> Lastly, remove the dependency on the Hypersonic service by deleting this line: <depends>jboss:service=Hypersonic</depends> No one cares? It doesn't make sense to report security vulerablities, if no one is interested. There's a new jboss version in between iirc. java people, please put your input! Package masking jboss <=net-www/jboss-3.2.1-r1 I don't know who is leading up the java efforts on gentoo but this lack of resolution is not acceptable. We really value our bug reporters and when a lack of resolution happens it's just bad PR and is discouraging for people that reporting security bugs. part of the problem is that there is barely a java team any more, and we're looking for people to become developers. Carlo, what's your java experience? email me. >Carlo, what's your java experience?
What's Java? No, never liked it much...
I just noticed the vulnerability anouncement and thought it would be worth a report. And I tend to be insistent with my reports. ;)
I remember there was a Java guy in forums.g.o, asking what he could do for Gentoo a few weeks ago.
i can handle this fixed with jboss-3.2.3 now in portage Hooray! ;) |