MEJB Security Alert
All, We have discovered a security vulnerability in Geronimo, where the management EJB (MEJB) allows unchallenged access to Geronimo internals. A temporary workaround is to make the following modifications to the configuration file at GERONIMO_HOME/var/config.xml. This will disable MEJB. module name=org.apache.geronimo.configs/openejb/2.0.1/car gbean name=EJBNetworkService . /gbean gbean load=false name=ejb/mgmt/MEJB/ /module We will be releasing a new version soon to control access to MEJB in a more secure way. This issue will be tracked in https://issues.apache.org/jira/browse/GERONIMO-3456 Thanks Anita Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. http://tv.yahoo.com/collections/222
Re: MEJB Security Alert
Why not recommend setting it to only listen for localhost connections instead of the default 0.0.0.0 for now, to match the default setting used by RemoteDeploy? module name=org.apache.geronimo.configs/openejb/2.0.1/car gbean name=EJBNetworkService attribute name=host127.0.0.1/attribute /gbean /module -Donald Anita Kulshreshtha wrote: All, We have discovered a security vulnerability in Geronimo, where the management EJB (MEJB) allows unchallenged access to Geronimo internals. A temporary workaround is to make the following modifications to the configuration file at GERONIMO_HOME/var/config.xml. This will disable MEJB. module name=org.apache.geronimo.configs/openejb/2.0.1/car gbean name=EJBNetworkService . /gbean gbean load=false name=ejb/mgmt/MEJB/ /module We will be releasing a new version soon to control access to MEJB in a more secure way. This issue will be tracked in https://issues.apache.org/jira/browse/GERONIMO-3456 Thanks Anita Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. http://tv.yahoo.com/collections/222 smime.p7s Description: S/MIME Cryptographic Signature
Re: MEJB Security Alert
If someone wanted to use MEJB, configuring EJBNetworkService to listen to only localhost is an option, i.e. only local monitoring can be done. For all other cases turning off MEJB is a better option because it allows people to use remote EJBs. Thanks Anita --- Donald Woods [EMAIL PROTECTED] wrote: Why not recommend setting it to only listen for localhost connections instead of the default 0.0.0.0 for now, to match the default setting used by RemoteDeploy? module name=org.apache.geronimo.configs/openejb/2.0.1/car gbean name=EJBNetworkService attribute name=host127.0.0.1/attribute /gbean /module -Donald Anita Kulshreshtha wrote: All, We have discovered a security vulnerability in Geronimo, where the management EJB (MEJB) allows unchallenged access to Geronimo internals. A temporary workaround is to make the following modifications to the configuration file at GERONIMO_HOME/var/config.xml. This will disable MEJB. module name=org.apache.geronimo.configs/openejb/2.0.1/car gbean name=EJBNetworkService . /gbean gbean load=false name=ejb/mgmt/MEJB/ /module We will be releasing a new version soon to control access to MEJB in a more secure way. This issue will be tracked in https://issues.apache.org/jira/browse/GERONIMO-3456 Thanks Anita Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. http://tv.yahoo.com/collections/222 Choose the right car based on your needs. Check out Yahoo! Autos new Car Finder tool. http://autos.yahoo.com/carfinder/