The default configuration of the hsqldb service allows for interaction with the database over TCP/IP and can enable arbitary code to be executed if the default username/password has not be changed. http://www.securityfocus.com/archive/1/340443 http://sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866 Reproducible: Always Steps to Reproduce: 1. 2. 3.
Java team Can we correct this?
here is the fix ----------------------------------------- The default configuration of the hsqldb service allows for interaction with the database over TCP/IP and can enable arbitary code to be executed if the default username/password has not be changed. JBoss does not need the socket based access mode so one can disable this through two changes to the deploy/hsqldb-ds.xml configuration. First, change: <!-- for tcp connection, allowing other processes to use the hsqldb database --> <connection-url>jdbc:hsqldb:hsql://localhost:1701</connection-url> to: <!-- for in-process db with file store, saved when jboss stops. The org.jboss.jdbc.HypersonicDatabase is unnecessary --> <connection-url>jdbc:hsqldb:localDB</connection-url> Next, comment out or remove this section: <!-- this mbean should be used only when using tcp connections --> <mbean code="org.jboss.jdbc.HypersonicDatabase" name="jboss:service=Hypersonic"> <attribute name="Port">1701</attribute> <attribute name="Silent">true</attribute> <attribute name="Database">default</attribute> <attribute name="Trace">false</attribute> <attribute name="No_system_exit">true</attribute> </mbean> Lastly, remove the dependency on the Hypersonic service by deleting this line: <depends>jboss:service=Hypersonic</depends>
No one cares? It doesn't make sense to report security vulerablities, if no one is interested. There's a new jboss version in between iirc.
java people, please put your input!
Package masking jboss <=net-www/jboss-3.2.1-r1 I don't know who is leading up the java efforts on gentoo but this lack of resolution is not acceptable. We really value our bug reporters and when a lack of resolution happens it's just bad PR and is discouraging for people that reporting security bugs.
part of the problem is that there is barely a java team any more, and we're looking for people to become developers. Carlo, what's your java experience? email me.
>Carlo, what's your java experience? What's Java? No, never liked it much... I just noticed the vulnerability anouncement and thought it would be worth a report. And I tend to be insistent with my reports. ;) I remember there was a Java guy in forums.g.o, asking what he could do for Gentoo a few weeks ago.
i can handle this
fixed with jboss-3.2.3 now in portage
Hooray! ;)