portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Sean Taylor (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Commented: (JS2-1240) Security Vulnerability in Portals Zones
Date Sat, 05 Feb 2011 02:31:30 GMT

    [ https://issues.apache.org/jira/browse/JS2-1240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12990883#comment-12990883
] 

David Sean Taylor commented on JS2-1240:
----------------------------------------

We will address the following security in Jetspeed:

1. Change the installer to use a safe release of Tomcat. As of this date (2/4/2011), version
6.0.32 is recommended.
2. Remove the Tomcat Manager from the installer distributions
3. Remove all insecure passwords in tomcat-users.xml 
4. Modifications will be made to the distribution to remove all reverse proxy features from
the distribution




> Security Vulnerability in Portals Zones
> ---------------------------------------
>
>                 Key: JS2-1240
>                 URL: https://issues.apache.org/jira/browse/JS2-1240
>             Project: Jetspeed 2
>          Issue Type: Bug
>          Components: Deployment, Installer
>    Affects Versions: 2.2.1
>            Reporter: David Sean Taylor
>            Assignee: David Sean Taylor
>             Fix For: 2.2.2
>
>
> As reported by Apache Security Team:
> It has come to the attention of the ASF security team that the latest
> version of Jetspeed ships with a critical security vulnerability that
> permits a remote attacker to execute arbitrary code.
> The details of the vulnerability are as follows:
> - - Jetspeed 2.2.1 includes version 6.0.18 of Apache Tomcat
> - - Jetspeed 2.2.1 includes the Tomcat manager application
> - - The default tomcat-users.xml file has been modified to include an
> enabled administrative user with an insecure default password
> This means that a default installation of Jetspeed 2.2.1 is vulnerable
> to remote execution of arbitrary code via deployment of malicious web
> applications using Tomcat's Manager application. Remote execution of
> arbitrary code is a critical (the highest rating) security vulnerability.
> The Portals PMC should also be aware that Tomcat 6.0.18 is 2.5 years old
> and itself has a number of security vulnerabilities. [1]
> [1] http://tomcat.apache.org/security-6.html

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message