[ https://issues.apache.org/jira/browse/GERONIMO-3461?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12526812 ]
Donald Woods commented on GERONIMO-3461: ---------------------------------------- Background info on this temp change - -------- Original Message -------- Subject: MEJB Security Alert Date: Thu, 6 Sep 2007 06:46:21 -0700 (PDT) From: Anita Kulshreshtha <[EMAIL PROTECTED]> Reply-To: dev@geronimo.apache.org To: dev@geronimo.apache.org All, We have discovered a security vulnerability in Geronimo, where the management EJB (MEJB) allows unchallenged access to Geronimo internals. A temporary workaround is to make the following modifications to the configuration file at <GERONIMO_HOME>/var/config.xml. This will disable MEJB. <module name="org.apache.geronimo.configs/openejb/2.0.1/car"> <gbean name="EJBNetworkService"> ......................................... </gbean> <gbean load="false" name="ejb/mgmt/MEJB"/> </module> We will be releasing a new version soon to control access to MEJB in a more secure way. This issue will be tracked in https://issues.apache.org/jira/browse/GERONIMO-3456 Thanks Anita > Disable MEJB gbean in the default assemblies until G3456 is fixed > ----------------------------------------------------------------- > > Key: GERONIMO-3461 > URL: https://issues.apache.org/jira/browse/GERONIMO-3461 > Project: Geronimo > Issue Type: Sub-task > Security Level: public(Regular issues) > Components: OpenEJB > Affects Versions: 2.0.1, 2.1 > Reporter: Donald Woods > Assignee: Donald Woods > Fix For: 2.0.2, 2.1 > > > Temporarily disable the MEJB bean due to the security exposure found by > Anita, until GERONIMO-3456 is properly fixed. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.