From ${URL} : Common Vulnerabilities and Exposures assigned an identifier CVE-2013-1777 to the following vulnerability: The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Community Edition 3.0.0.3 and other products, does not property implement the RMI classloader, which allows remote attackers to execute arbitrary code by using the JMX connector to send a crafted serialized object. References: [1] http://archives.neohapsis.com/archives/bugtraq/2013-07/0008.html [2] http://geronimo.apache.org/30x-security-report.html [3] http://www-01.ibm.com/support/docview.wss?uid=swg21643282 [4] https://issues.apache.org/jira/browse/GERONIMO-6477 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Appears to be fixed upstream at [1]. Also appears to only affect -core. [1] http://svn.apache.org/viewvc?view=revision&sortby=date&revision=1458113
CVE-2013-1777 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1777): The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Community Edition 3.0.0.3 and other products, does not property implement the RMI classloader, which allows remote attackers to execute arbitrary code by using the JMX connector to send a crafted serialized object.
Hi After investigating what was wrong with this package, I've come to the conclusion that: - this CVE indeed affects Apache Geronimo 3.0 which we don't have packaged in Portage. - .. a software which is totally different from mx4j. - after looking at the URL given by Chris, I've sieved through all the source code in mx4j and mx4j-core and there's only one file called JMXConnector.java which content is widely different from the fix suggested by the URL. In mx4j, JMXConnector.java is an interface instead of class. Again, this CVE does not affect mx4j but Apache Geronimo. You can go ahead, close this bug and mark it as INVALID.
Created attachment 405104 [details] JMXConnector.java Compare this file content with http://svn.apache.org/viewvc/geronimo/server/branches/3.0/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/JMXConnector.java?view=markup&sortby=date&pathrev=1458113.
(In reply to Patrice Clement from comment #3) > Hi > > After investigating what was wrong with this package, I've come to the > conclusion that: > - this CVE indeed affects Apache Geronimo 3.0 which we don't have packaged > in Portage. > - .. a software which is totally different from mx4j. > - after looking at the URL given by Chris, I've sieved through all the > source code in mx4j and mx4j-core and there's only one file called > JMXConnector.java which content is widely different from the fix suggested > by the URL. In mx4j, JMXConnector.java is an interface instead of class. > > Again, this CVE does not affect mx4j but Apache Geronimo. > > You can go ahead, close this bug and mark it as INVALID. Thanks for the work in detecting this, closing