The Geronimo project has learned of a security vulnerability in the
Jetty servlet container (6.1.5) included in Geronimo. If you use a
Jetty configuration of Geronimo you may be affected by the vulnerability.
This vulnerability impacts Jetty configurations of Geronimo 2.0.1 and 2.0.2.
For specific information regarding the Jetty vulnerability, see
http://www.kb.cert.org/vuls/id/553235
The problem is related to the processing of URLs which contain multiple
consecutive forward slash (/) characters that are handled incorrectly
(for example . http://foo//../bar).
If your system is susceptible to attacks using such URLs we recommend
that you filter these URLs using an application firewall or reverse
proxy server.
Alternatively, you can upgrade your Geronimo Jetty server image to
utilize the corrected Jetty 6.1.7 jar:
- Obtain a jetty-6.1.7.jar from
http://repository.codehaus.org/org/mortbay/jetty/jetty/6.1.7/
- Stop your Geronimo Jetty server image
- copy jetty-6.1.7.jar to
<geronimo-root>/repository/org/mortbay/jetty/jetty/6.1.7/jetty-6.1.7.jar
- remove the jetty 6.1.5 jar:
<geronimo-root>/repository/org/mortbay/jetty/jetty/6.1.5/jetty-6.1.5.jar
- start the Geronimo Jetty server. The server will now be using the
6.1.7 Jetty jar.
This vulnerability will be fixed in the next release of Geronimo (2.0.3
and/or 2.1) which will include Jetty 6.1.7 correcting the vulnerability.
