Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 30554 - JBoss 3.2.1 and 3.0.8 vulnerabilty
Summary: JBoss 3.2.1 and 3.0.8 vulnerabilty
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High blocker (vote)
Assignee: Matthew Kennedy (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-10-07 04:52 UTC by Carsten Lohrke (RETIRED)
Modified: 2011-10-30 22:38 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2003-10-07 04:52:57 UTC
The default configuration of the hsqldb service allows for interaction with the
database over TCP/IP and can enable arbitary code to be executed if the default
username/password has not be changed.

http://www.securityfocus.com/archive/1/340443
http://sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 solar (RETIRED) gentoo-dev 2003-10-15 16:14:21 UTC
Java team

Can we correct this?
Comment 2 solar (RETIRED) gentoo-dev 2003-10-25 22:39:23 UTC
here is the fix
-----------------------------------------

The default configuration of the hsqldb service allows for interaction with
the database over TCP/IP and can enable arbitary code to be executed if the
default username/password has not be changed. JBoss does not need the socket
based access mode so one can disable this through two changes to the deploy/hsqldb-ds.xml
configuration.

First, change:

   <!-- for tcp connection, allowing other processes to use the hsqldb database
-->
  <connection-url>jdbc:hsqldb:hsql://localhost:1701</connection-url>

to:
  <!-- for in-process db with file store, saved when jboss stops. The
   org.jboss.jdbc.HypersonicDatabase is unnecessary
-->
  <connection-url>jdbc:hsqldb:localDB</connection-url>

Next, comment out or remove this section:

  <!-- this mbean should be used only when using tcp connections -->
  <mbean code="org.jboss.jdbc.HypersonicDatabase"
    name="jboss:service=Hypersonic">
    <attribute name="Port">1701</attribute>
    <attribute name="Silent">true</attribute>
    <attribute name="Database">default</attribute>
    <attribute name="Trace">false</attribute>
    <attribute name="No_system_exit">true</attribute>
  </mbean>

Lastly, remove the dependency on the Hypersonic service by deleting this
line: <depends>jboss:service=Hypersonic</depends>
Comment 3 Carsten Lohrke (RETIRED) gentoo-dev 2003-11-20 11:57:45 UTC
No one cares? It doesn't make sense to report security vulerablities, if no one is interested. There's a new jboss version in between iirc.

Comment 4 Seemant Kulleen (RETIRED) gentoo-dev 2003-11-20 12:53:02 UTC
java people, please put your input!
Comment 5 solar (RETIRED) gentoo-dev 2003-12-10 11:52:37 UTC
Package masking jboss <=net-www/jboss-3.2.1-r1

I don't know who is leading up the java efforts on gentoo but this lack 
of resolution is not acceptable.  We really value our bug reporters and
when a lack of resolution happens it's just bad PR and is discouraging
for people that reporting security bugs.
Comment 6 Seemant Kulleen (RETIRED) gentoo-dev 2003-12-10 12:25:20 UTC
part of the problem is that there is barely a java team any more, and we're looking for people to become developers.  Carlo, what's your java experience? email me.
Comment 7 Carsten Lohrke (RETIRED) gentoo-dev 2003-12-11 11:01:15 UTC
>Carlo, what's your java experience?
What's Java? No, never liked it much... 
I just noticed the vulnerability anouncement and thought it would be worth a report. And I tend to be insistent with my reports. ;)

I remember there was a Java guy in forums.g.o, asking what he could do for Gentoo a few weeks ago.
Comment 8 Matthew Kennedy (RETIRED) gentoo-dev 2003-12-18 08:38:09 UTC
i can handle this
Comment 9 Matthew Kennedy (RETIRED) gentoo-dev 2003-12-20 00:50:49 UTC
fixed with jboss-3.2.3 now in portage
Comment 10 Carsten Lohrke (RETIRED) gentoo-dev 2003-12-20 03:49:13 UTC
Hooray! ;)