Kan Ogawa
super****@jcom*****
2008年 1月 15日 (火) 07:25:10 JST
小川です。 Apache Geronimo 2.0 with Jetty版に、セキュリティー脆弱性の存在が 報告されました。 JettyをWebコンテナーとして使用されているユーザーは、下記のメール に示されている回避策を早急に実施してください。 この脆弱性は、次のリリース(v2.0.3)で解決される予定です。 -- Kan Ogawa super****@jcom***** -------- Original Message -------- Subject: [SECURITY] Potential vulnerability in Jetty servlet container Date: Mon, 14 Jan 2008 14:49:19 -0500 From: Joe Bohn <joe.b****@earth*****> Reply-To: dev****@geron***** To: Geronimo Dev <dev****@geron*****> The Geronimo project has learned of a security vulnerability in the Jetty servlet container (6.1.5) included in Geronimo. If you use a Jetty configuration of Geronimo you may be affected by the vulnerability. This vulnerability impacts Jetty configurations of Geronimo 2.0.1 and 2.0.2. For specific information regarding the Jetty vulnerability, see http://www.kb.cert.org/vuls/id/553235 The problem is related to the processing of URLs which contain multiple consecutive forward slash (/) characters that are handled incorrectly (for example . http://foo//../bar). If your system is susceptible to attacks using such URLs we recommend that you filter these URLs using an application firewall or reverse proxy server. Alternatively, you can upgrade your Geronimo Jetty server image to utilize the corrected Jetty 6.1.7 jar: - Obtain a jetty-6.1.7.jar from http://repository.codehaus.org/org/mortbay/jetty/jetty/6.1.7/ - Stop your Geronimo Jetty server image - copy jetty-6.1.7.jar to <geronimo-root>/repository/org/mortbay/jetty/jetty/6.1.7/jetty-6.1.7.jar - remove the jetty 6.1.5 jar: <geronimo-root>/repository/org/mortbay/jetty/jetty/6.1.5/jetty-6.1.5.jar - start the Geronimo Jetty server. The server will now be using the 6.1.7 Jetty jar. This vulnerability will be fixed in the next release of Geronimo (2.0.3 and/or 2.1) which will include Jetty 6.1.7 correcting the vulnerability.
