BID:25804

Apache Geronimo Management EJB Security Bypass Vulnerability

Info

Apache Geronimo Management EJB Security Bypass Vulnerability

Bugtraq ID:	25804
Class:	Access Validation Error
CVE:	CVE-2007-5085
Remote:	Yes
Local:	No
Published:	Sep 25 2007 12:00AM
Updated:	May 07 2015 05:35PM
Credit:	The vendor reported this issue.
Vulnerable:	IBM WebSphere Application Server Community Edition 2.0 Apache Geronimo 2.0.1

Not Vulnerable:	Apache Geronimo 2.0.2

Discussion

Apache Geronimo Management EJB Security Bypass Vulnerability

Apache Geronimo is prone to a security-bypass vulnerability. This issue occurs in the management EJB (MEJB).

An attacker could exploit this issue to gain unauthorized access to the affected application. This may lead to further attacks.

This issue affects Apache Geronimo 2.0.1; other versions may also be affected.

Exploit / POC

Apache Geronimo Management EJB Security Bypass Vulnerability

Currently we are not aware of any working exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Solution / Fix

Apache Geronimo Management EJB Security Bypass Vulnerability

Solution:
The vendor released an update to address this issue. Please see the references for more information.

Apache Geronimo 2.0.1

Apache Software Foundation apache-geronimo-v202
http://geronimo.apache.org/apache-geronimo-v202-release.html

References

Apache Geronimo Management EJB Security Bypass Vulnerability

References:

Apache Geronimo Web Site (Apache)
Make MEJB security configurable (Apache Software Foundation)
Security Announcement 2007-09-06 (Apache Software Foundation)
MEJB security vulnerability in WebSphere Application Server Community Edition V2 (IBM)