Geronimo 2.1.x Patch Instructions for CVE-2010-1632 and CVE-2010-2076
The Axis2 team has recently discovered a security vulnerability which may allow a remote attacker to launch a denial of service attack. It is also possible for the attacker to steal information from the machine which is running the web services. For more information on this security vulnerability please refer the following document:
A similar vulnerability is found in the Apache CXF web services runtime as well. The CXF vulnerability is documented in the following document:
How is Apache Geronimo Affected?
Apache Geronimo includes Apache Axis2 and Apache CXF as the web services runtimes. As a result, web services running on Apache Geronimo are vulnerable to this security issue.
These issues have been fixed in Apache CXF v2.1.10, Apache Axis2 v1.5.2, and Axiom v1.2.9.
How can I avoid these vulnerabilities in Apache Geronimo?
These vulnerabilities will be fixed in a future Geronimo v2.2.1 release. Until the new releases are available, the web services support can be disabled or the release can be patched with updated axis2 and axiom components.
If you are not using the web services support, you can explicitly disable the web services to remove the vulnerability. To disable all web services, make the following
updates to <GERONIMO_HOME>/var/config/config.xml file:
- Remove the condition attribute and add the load="false" attribute to org.apache.geronimo.configs/cxf-deployer//car module.
- Remove the condition attribute and add the load="false" attribute to org.apache.geronimo.configs/axis2-deployer//car module.
If you still require web services access, the following steps will upgrade the Axis2 and CXF versions used by the server.
Upgrading Axis2 and CXF on an existing server
Upgrading Axis2
Follow these steps if you are using Apache Axis2 as the web services runtime in Geronimo v2.2. By default, the Geronimo Tomcat assembly uses Axis2 as the web services runtime.
This vulnerability is fixed in the axiom 1.2.9 and axis2 1.5.2 releases. Patching the Geronimo server requires replacing these components in the server repository.
- If your server is running stop the server.
- Make a backup of the directories <GERONIMO_HOME>/repository/org/apache/axis2/ and <GERONIMO_HOME>/repository/org/apache/ws/commons/axiom/. Once done, delete the directories <GERONIMO_HOME>/repository/org/apache/axis2/ and <GERONIMO_HOME>/repository/org/apache/ws/commons/axiom/.
- Download the 1.2.9 version of all jars present in the axiom repository directory from http://repo1.maven.org/maven2/org/apache/ws/commons/axiom/. For example, axiom-api-1.2.9.jar can be downloaded from http://repo1.maven.org/maven2/org/apache/ws/commons/axiom/axiom-api/1.2.9/. The following jars are required:
- Copy all the jars according to the original repository directory structure. For example, copy axiom-api-1.2.9.jar to <GERONIMO_HOME>/repository/org/apache/ws/commons/axiom/1.2.9.
- Download the 1.5.2 version of all jars present in the axis2 repository directory from http://repo1.maven.org/maven2/org/apache/axis2/. For example, axis2-jaxws-1.5.2.jar can be downloaded from http://repo1.maven.org/maven2/org/apache/axis2/axis2-jaxws/1.5.2/axis2-jaxws-1.5.2.jar. The following jars are required:
- http://repo1.maven.org/maven2/org/apache/axis2/axis2-jaxws/1.5.2/axis2-jaxws-1.5.2.jar
- http://repo1.maven.org/maven2/org/apache/axis2/axis2-kernel/1.5.2/axis2-kernel-1.5.2.jar
- http://repo1.maven.org/maven2/org/apache/axis2/axis2-metadata/1.5.2/axis2-metadata-1.5.2.jar
- http://repo1.maven.org/maven2/org/apache/axis2/axis2-saaj/1.5.2/axis2-saaj-1.5.2.jar
- http://repo1.maven.org/maven2/org/apache/axis2/axis2-transport-http/1.5.2/axis2-transport-http-1.5.2.jar
- http://repo1.maven.org/maven2/org/apache/axis2/axis2-transport-local/1.5.2/axis2-transport-local-1.5.2.jar
- Copy all the jars according to the original repository directory structure. For example, copy axis2-jaxws-1.5.2.jar to <GERONIMO_HOME>/repository/org/apache/axis2/axis2-jaxws/1.5.2.
- Open the <GERONIMO_HOME>/var/config/artifact_aliases.properties in edit mode and add the following entries:
org.apache.axis2/axis2-jaxws/1.5/jar=org.apache.axis2/axis2-jaxws/1.5.2-r952842/jar org.apache.axis2/axis2-kernel/1.5/jar=org.apache.axis2/axis2-kernel/1.5.2-r952842/jar org.apache.axis2/axis2-metadata/1.5/jar=org.apache.axis2/axis2-metadata/1.5.2-r952842/jar org.apache.axis2/axis2-saaj/1.5/jar=org.apache.axis2/axis2-saaj/1.5.2-r952842/jar org.apache.axis2/axis2-transport-http/1.5/jar=org.apache.axis2/axis2-transport-http/1.5.2-r952842/jar org.apache.axis2/axis2-transport-local/1.5/jar=org.apache.axis2/axis2-transport-local/1.5.2-r952842/jar org.apache.axis2/axis2-jaxws//jar=org.apache.axis2/axis2-jaxws/1.5.2-r952842/jar org.apache.axis2/axis2-kernel//jar=org.apache.axis2/axis2-kernel/1.5.2-r952842/jar org.apache.axis2/axis2-metadata//jar=org.apache.axis2/axis2-metadata/1.5.2-r952842/jar org.apache.axis2/axis2-saaj//jar=org.apache.axis2/axis2-saaj/1.5.2-r952842/jar org.apache.axis2/axis2-transport-http//jar=org.apache.axis2/axis2-transport-http/1.5.2-r952842/jar org.apache.axis2/axis2-transport-local//jar=org.apache.axis2/axis2-transport-local/1.5.2-r952842/jar org.apache.ws.commons.axiom/axiom-api/1.2.8/jar=org.apache.ws.commons.axiom/axiom-api/1.2.9/jar org.apache.ws.commons.axiom/axiom-dom/1.2.8/jar=org.apache.ws.commons.axiom/axiom-dom/1.2.9/jar org.apache.ws.commons.axiom/axiom-impl/1.2.8/jar=org.apache.ws.commons.axiom/axiom-impl/1.2.9/jar org.apache.ws.commons.axiom/axiom-api//jar=org.apache.ws.commons.axiom/axiom-api/1.2.9/jar org.apache.ws.commons.axiom/axiom-dom//jar=org.apache.ws.commons.axiom/axiom-dom/1.2.9/jar org.apache.ws.commons.axiom/axiom-impl//jar=org.apache.ws.commons.axiom/axiom-impl/1.2.9/jar
- Start the server.
Upgrading CXF
Follow these steps if you are using Apache CXF as the web services runtime in Apache Geronimo v2.2. By default, the Geronimo Jetty assembly uses CXF as the web services runtime.
- If your server is running, stop the server.
- Make a backup of <GERONIMO_HOME>/repository/org/apache/cxf directory. Once done, delete the directory <GERONIMO_HOME>/repository/org/apache/cxf.
- Download the 2.1.10 version of all jars present in the cxf repository directory from http://repo1.maven.org/maven2/org/apache/cxf/. For example, cxf-common-utilities-2.1.10.jar can be downloaded from http://repo1.maven.org/maven2/org/apache/cxf/cxf-common-utilities/2.1.10/. The following jars are required:
- http://repo1.maven.org/maven2/org/apache/cxf/cxf-api/2.1.10/cxf-api-2.1.10-jar
- http://repo1.maven.org/maven2/org/apache/cxf/cxf-common-utilities/2.1.10/cxf-common-utilities-2.1.10-jar
- http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-bindings-soap/2.1.10/cxf-rt-bindings-soap-2.1.10-jar
- http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-bindings-xml/2.1.10/cxf-rt-bindings-xml-2.1.10-jar
- http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-core/2.1.10/cxf-rt-core-2.1.10-jar
- http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-databinding-jaxb/2.1.10/cxf-rt-databinding-jaxb-2.1.10-jar
- http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-frontend-jaxws/2.1.10/cxf-rt-frontend-jaxws-2.1.10-jar
- http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-frontend-simple/2.1.10/cxf-rt-frontend-simple-2.1.10-jar
- http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-transports-http/2.1.10/cxf-rt-transports-http-2.1.10-jar
- http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-ws-addr/2.1.10/cxf-rt-ws-addr-2.1.10-jar
- http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-ws-security/2.1.10/cxf-rt-ws-security-2.1.10-jar
- http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-common/2.1.10/cxf-tools-common-2.1.10-jar
- http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-java2ws/2.1.10/cxf-tools-java2ws-2.1.10-jar
- http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-validator/2.1.10/cxf-tools-validator-2.1.10-jar
- http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-wsdlto-core/2.1.10/cxf-tools-wsdlto-core-2.1.10-jar
- http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-wsdlto-databinding-jaxb/2.1.10/cxf-tools-wsdlto-databinding-jaxb-2.1.10-jar
- http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-wsdlto-frontend-jaxws/2.1.10/cxf-tools-wsdlto-frontend-jaxws-2.1.10-jar
- Copy all the jars according to the original repository directory structure. For example, copy cxf-common-utilities-2.1.10.jar to <GERONIMO_HOME>/repository/org/apache/cxf/cxf-common-utilities/2.1.10/
- Launch <GERONIMO_HOME>/var/config/artifact-aliases.properties in edit mode and add the following entries:
org.apache.cxf/cxf-api/2.1.4/jar=org.apache.cxf/cxf-api/2.1.10/jar org.apache.cxf/cxf-common-schemas/2.1.4/jar=org.apache.cxf/cxf-common-schemas/2.1.10/jar org.apache.cxf/cxf-common-utilities/2.1.4/jar=org.apache.cxf/cxf-common-utilities/2.1.10/jar org.apache.cxf/cxf-rt-bindings-soap/2.1.4/jar=org.apache.cxf/cxf-rt-bindings-soap/2.1.10/jar org.apache.cxf/cxf-rt-bindings-xml/2.1.4/jar=org.apache.cxf/cxf-rt-bindings-xml/2.1.10/jar org.apache.cxf/cxf-rt-core/2.1.4/jar=org.apache.cxf/cxf-rt-core/2.1.10/jar org.apache.cxf/cxf-rt-databinding-jaxb/2.1.4/jar=org.apache.cxf/cxf-rt-databinding-jaxb/2.1.10/jar org.apache.cxf/cxf-rt-frontend-jaxws/2.1.4/jar=org.apache.cxf/cxf-frontend-jaxws/2.1.10/jar org.apache.cxf/cxf-rt-frontend-simple/2.1.4/jar=org.apache.cxf/cxf-frontend-simple/2.1.10/jar org.apache.cxf/cxf-rt-transports-http/2.1.4/jar=org.apache.cxf/cxf-transports-http/2.1.10/jar org.apache.cxf/cxf-rt-ws-addr/2.1.4/jar=org.apache.cxf/cxf-rt-ws-addr/2.1.10/jar org.apache.cxf/cxf-rt-ws-security/2.1.4/jar=org.apache.cxf/cxf-rt-ws-security/2.1.10/jar org.apache.cxf/cxf-tools-common/2.1.4/jar=org.apache.cxf/cxf-tools-common/2.1.10/jar org.apache.cxf/cxf-tools-java2ws/2.1.4/jar=org.apache.cxf/cxf-tools-java2ws/2.1.10/jar org.apache.cxf/cxf-tools-validator/2.1.4/jar=org.apache.cxf/cxf-tools-validator/2.1.10/jar org.apache.cxf/cxf-tools-wsdlto-core/2.1.4/jar=org.apache.cxf/cxf-tools-wsdlto-core/2.1.10/jar org.apache.cxf/cxf-tools-wsdlto-databinding-jaxb/2.1.4/jar=org.apache.cxf/cxf-tools-wsdlto-databinding-jaxb/2.1.10/jar org.apache.cxf/cxf-tools-wsdlto-frontend-jaxws/2.1.4/jar=org.apache.cxf/cxf-tools-wsdlto-frontend-jaxws/2.1.10/jar org.apache.cxf/cxf-api//jar=org.apache.cxf/cxf-api/2.1.10/jar org.apache.cxf/cxf-common-schemas//jar=org.apache.cxf/cxf-common-schemas/2.1.10/jar org.apache.cxf/cxf-common-utilities//jar=org.apache.cxf/cxf-common-utilities/2.1.10/jar org.apache.cxf/cxf-rt-bindings-soap//jar=org.apache.cxf/cxf-rt-bindings-soap/2.1.10/jar org.apache.cxf/cxf-rt-bindings-xml//jar=org.apache.cxf/cxf-rt-bindings-xml/2.1.10/jar org.apache.cxf/cxf-rt-core//jar=org.apache.cxf/cxf-rt-core/2.1.10/jar org.apache.cxf/cxf-rt-databinding-jaxb//jar=org.apache.cxf/cxf-rt-databinding-jaxb/2.1.10/jar org.apache.cxf/cxf-rt-frontend-jaxws//jar=org.apache.cxf/cxf-frontend-jaxws/2.1.10/jar org.apache.cxf/cxf-rt-frontend-simple//jar=org.apache.cxf/cxf-frontend-simple/2.1.10/jar org.apache.cxf/cxf-rt-transports-http//jar=org.apache.cxf/cxf-transports-http/2.1.10/jar org.apache.cxf/cxf-rt-ws-addr//jar=org.apache.cxf/cxf-rt-ws-addr/2.1.10/jar org.apache.cxf/cxf-rt-ws-security//jar=org.apache.cxf/cxf-rt-ws-security/2.1.10/jar org.apache.cxf/cxf-tools-common//jar=org.apache.cxf/cxf-tools-common/2.1.10/jar org.apache.cxf/cxf-tools-java2ws//jar=org.apache.cxf/cxf-tools-java2ws/2.1.10/jar org.apache.cxf/cxf-tools-validator//jar=org.apache.cxf/cxf-tools-validator/2.1.10/jar org.apache.cxf/cxf-tools-wsdlto-core//jar=org.apache.cxf/cxf-tools-wsdlto-core/2.1.10/jar org.apache.cxf/cxf-tools-wsdlto-databinding-jaxb//jar=org.apache.cxf/cxf-tools-wsdlto-databinding-jaxb/2.1.10/jar org.apache.cxf/cxf-tools-wsdlto-frontend-jaxws//jar=org.apache.cxf/cxf-tools-wsdlto-frontend-jaxws/2.1.10/jar
- Start the server