The Apache Geronimo project has learned of several security
vulnerabilities in the Geronimo Administration Console. If you use a
full javaee5 configuration of the Geronimo server or have installed the
console into another Geronimo server configuration you may be affected
by these vulnerabilities.
The vulnerabilities affect all full JavaEE Geronimo assemblies or other
distributions that include the administration web console up to and
including Apache Geronimo 2.1.3.
The vulnerabilities are in the areas of directory traversal from the
administration console as well as XSS and XSRF exposures. All
vulnerabilities have been addressed in the newly released Geronimo 2.1.4
server currently available for download at:
http://geronimo.apache.org/downloads.html
For specific information regarding the vulnerabilities please see the
security report:
http://geronimo.apache.org/21x-security-report.html
The Apache Geronimo project would like to thank Digital Security
Research Group (dsecrg.com) and Marc Schoenefeld (Red Hat Security
Response Team) for responsibly reporting these issues and assisting us
with validating our fixes.
