You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

2007-09-06
We have discovered a security vulnerability in Geronimo, where the management EJB (MEJB) allows unchallenged access to Geronimo internals.
As a temporary workaround you can modify the config.xml to disable MEJB.

To disable MEJB make the following modifications to the configuration file at <geronimo_home>/var/config.xml.

Excerpt from config.xml
....
<module name="org.apache.geronimo.configs/openejb/2.0.1/car">
    <gbean name="EJBNetworkService">
    ...
    </gbean>
    <gbean load="false" name="ejb/mgmt/MEJB"/>
</module>
...

We will be releasing a new version soon to control access to MEJB in a more secure way. This issue will be tracked in JIRA GERONIMO-3456.

  • No labels