Uploaded image for project: 'JBoss Enterprise SOA Platform'
  1. JBoss Enterprise SOA Platform
  2. SOA-3548

CLONE - jruby.jar as shipped with the scripting_chain quickstart exposes CVE-2010-1330

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Migrated to another ITS
    • Affects Version/s: 5.1.0 GA
    • Fix Version/s: None
    • Component/s: Examples
    • Labels:
      None

      Description

      The jruby.jar file shipped with the scripting_chain quickstart appears to be vulnerable to CVE-2010-1330:

      jboss-as/samples/quickstarts/scripting_chain/lib/jruby.jar

      I have been unable to determine the exact version of jruby.jar that we are shipping, as it doesn't match any of the upstream md5sums and the MANIFEST.MF does not specify the version. Based on what I can see in MANIFEST.MF and the unpacked structure of the jar, it is likely to be version 1.1.x or 1.2.0. To mitigate this flaw, we should upgrade to >= 1.4.1 or >= 1.5.0. Details are here:

      http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html

      Since this is a moderate impact flaw that only affects a quickstart, the overall impact is low. We should upgrade the vulnerable component in the next release. If it is possible to squeeze this update into 5.2.0 that would be ideal, but I'm not calling it a blocker.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  dpalmer Douglas Palmer
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: