If someone wanted to use MEJB, configuring EJBNetworkService to listen to only localhost is an option, i.e. only local monitoring can be done. For all other cases turning off MEJB is a better option because it allows people to use remote EJBs.
Thanks Anita --- Donald Woods <[EMAIL PROTECTED]> wrote: > Why not recommend setting it to only listen for localhost connections > instead > of the default 0.0.0.0 for now, to match the default setting used by > RemoteDeploy? > > <module name="org.apache.geronimo.configs/openejb/2.0.1/car"> > <gbean name="EJBNetworkService"> > <attribute name="host">127.0.0.1</attribute> > </gbean> > </module> > > > -Donald > > Anita Kulshreshtha wrote: > > All, > > We have discovered a security vulnerability in Geronimo, where > the > > management EJB (MEJB) allows unchallenged access to Geronimo > internals. > > A temporary workaround is to make the following modifications to > the > > configuration file at <GERONIMO_HOME>/var/config.xml. This will > disable > > MEJB. > > > > <module name="org.apache.geronimo.configs/openejb/2.0.1/car"> > > <gbean name="EJBNetworkService"> > > ......................................... > > </gbean> > > <gbean load="false" name="ejb/mgmt/MEJB"/> > > </module> > > > > We will be releasing a new version soon to control access to MEJB > in a > > more secure way. This issue will be tracked in > > https://issues.apache.org/jira/browse/GERONIMO-3456 > > > > Thanks > > Anita > > > > > > > > > > > ____________________________________________________________________________________ > > Sick sense of humor? Visit Yahoo! TV's > > Comedy with an Edge to see what's on, when. > > http://tv.yahoo.com/collections/222 > > > > > ____________________________________________________________________________________ Choose the right car based on your needs. Check out Yahoo! Autos new Car Finder tool. http://autos.yahoo.com/carfinder/
