Summary: | dev-java/mx4j-core: Improper RMI classloader implementation in JMX remoting functionality leading to arbitrary code execution (CVE-2013-1777) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED INVALID | ||||||
Severity: | major | CC: | java | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=984057 | ||||||
Whiteboard: | B1 [noglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Agostino Sarubbo
2013-07-12 18:59:38 UTC
Appears to be fixed upstream at [1]. Also appears to only affect -core. [1] http://svn.apache.org/viewvc?view=revision&sortby=date&revision=1458113 CVE-2013-1777 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1777): The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Community Edition 3.0.0.3 and other products, does not property implement the RMI classloader, which allows remote attackers to execute arbitrary code by using the JMX connector to send a crafted serialized object. Hi After investigating what was wrong with this package, I've come to the conclusion that: - this CVE indeed affects Apache Geronimo 3.0 which we don't have packaged in Portage. - .. a software which is totally different from mx4j. - after looking at the URL given by Chris, I've sieved through all the source code in mx4j and mx4j-core and there's only one file called JMXConnector.java which content is widely different from the fix suggested by the URL. In mx4j, JMXConnector.java is an interface instead of class. Again, this CVE does not affect mx4j but Apache Geronimo. You can go ahead, close this bug and mark it as INVALID. Created attachment 405104 [details] JMXConnector.java Compare this file content with http://svn.apache.org/viewvc/geronimo/server/branches/3.0/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/JMXConnector.java?view=markup&sortby=date&pathrev=1458113. (In reply to Patrice Clement from comment #3) > Hi > > After investigating what was wrong with this package, I've come to the > conclusion that: > - this CVE indeed affects Apache Geronimo 3.0 which we don't have packaged > in Portage. > - .. a software which is totally different from mx4j. > - after looking at the URL given by Chris, I've sieved through all the > source code in mx4j and mx4j-core and there's only one file called > JMXConnector.java which content is widely different from the fix suggested > by the URL. In mx4j, JMXConnector.java is an interface instead of class. > > Again, this CVE does not affect mx4j but Apache Geronimo. > > You can go ahead, close this bug and mark it as INVALID. Thanks for the work in detecting this, closing |