All,
We have discovered a security vulnerability in Geronimo, where the
management EJB (MEJB) allows unchallenged access to Geronimo internals.
A temporary workaround is to make the following modifications to the
configuration file at <GERONIMO_HOME>/var/config.xml. This will disable
MEJB.
<module name="org.apache.geronimo.configs/openejb/2.0.1/car">
<gbean name="EJBNetworkService">
.........................................
</gbean>
<gbean load="false" name="ejb/mgmt/MEJB"/>
</module>
We will be releasing a new version soon to control access to MEJB in a
more secure way. This issue will be tracked in
https://issues.apache.org/jira/browse/GERONIMO-3456
Thanks
Anita
____________________________________________________________________________________
Sick sense of humor? Visit Yahoo! TV's
Comedy with an Edge to see what's on, when.
http://tv.yahoo.com/collections/222
