portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Sean Taylor (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Created: (JS2-1240) Security Vulnerability in Portals Zones
Date Sat, 05 Feb 2011 02:23:30 GMT
Security Vulnerability in Portals Zones

                 Key: JS2-1240
                 URL: https://issues.apache.org/jira/browse/JS2-1240
             Project: Jetspeed 2
          Issue Type: Bug
          Components: Deployment, Installer
    Affects Versions: 2.2.1
            Reporter: David Sean Taylor
            Assignee: David Sean Taylor
             Fix For: 2.2.2

As reported by Apache Security Team:

It has come to the attention of the ASF security team that the latest
version of Jetspeed ships with a critical security vulnerability that
permits a remote attacker to execute arbitrary code.

The details of the vulnerability are as follows:
- - Jetspeed 2.2.1 includes version 6.0.18 of Apache Tomcat
- - Jetspeed 2.2.1 includes the Tomcat manager application
- - The default tomcat-users.xml file has been modified to include an
enabled administrative user with an insecure default password

This means that a default installation of Jetspeed 2.2.1 is vulnerable
to remote execution of arbitrary code via deployment of malicious web
applications using Tomcat's Manager application. Remote execution of
arbitrary code is a critical (the highest rating) security vulnerability.

The Portals PMC should also be aware that Tomcat 6.0.18 is 2.5 years old
and itself has a number of security vulnerabilities. [1]

[1] http://tomcat.apache.org/security-6.html

This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

View raw message