Bug 781053 (SOA-3539)

Summary: jruby.jar as shipped with the scripting_chain quickstart exposes CVE-2010-1330
Product: [JBoss] JBoss Enterprise SOA Platform 5 Reporter: David Jorm <djorm>
Component: ExamplesAssignee: Douglas Palmer <dpalmer>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.2.0.ER5CC: mjc
Target Milestone: ---   
Target Release: 5.2.0 GA, 5.2.0.CR1   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/SOA-3539
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-14 09:27:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description David Jorm 2011-11-01 02:29:00 UTC 
project_key: SOA

The jruby.jar file shipped with the scripting_chain quickstart appears to be vulnerable to CVE-2010-1330:

jboss-as/samples/quickstarts/scripting_chain/lib/jruby.jar

I have been unable to determine the exact version of jruby.jar that we are shipping, as it doesn't match any of the upstream md5sums and the MANIFEST.MF does not specify the version. Based on what I can see in MANIFEST.MF and the unpacked structure of the jar, it is likely to be version 1.1.x or 1.2.0. To mitigate this flaw, we should upgrade to >= 1.4.1 or >= 1.5.0. Details are here:

http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html

Since this is a moderate impact flaw that only affects a quickstart, the overall impact is low. We should upgrade the vulnerable component in the next release. If it is possible to squeeze this update into 5.2.0 that would be ideal, but I'm not calling it a blocker.
Comment 1 tcunning 2011-11-02 04:23:09 UTC 
Link: Added: This issue relates to JBESB-3706
Comment 2 Douglas Palmer 2011-11-02 10:16:00 UTC 
Link: Added: This issue Cloned to SOA-3547
Comment 3 Douglas Palmer 2011-11-02 10:17:47 UTC 
Link: Added: This issue Cloned to SOA-3548
Comment 4 David Le Sage 2011-11-03 22:16:24 UTC 
Release Notes Docs Status: Added: Not Required
Writer: Added: dlesage
Comment 5 Jiri Pechanec 2011-11-14 09:27:41 UTC 
Verified in CR1