Bug 781177 (SOA-3680)

Summary: jruby.jar as shipped with the scripting_chain quickstart exposes CVE-2011-4838
Product: [JBoss] JBoss Enterprise SOA Platform 5 Reporter: David Jorm <djorm>
Component: ExamplesAssignee: Douglas Palmer <dpalmer>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 5.2.0 GACC: mjc
Target Milestone: ---   
Target Release: 5.3.0 GA   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/SOA-3680
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-03 18:35:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description David Jorm 2012-01-03 01:42:31 UTC 
project_key: SOA

The jruby.jar file shipped with the scripting_chain quickstart is vulnerable to CVE-2011-4838:

jboss-as/samples/quickstarts/scripting_chain/lib/jruby.jar

We are shipping JRuby 1.6.5. To mitigate this flaw, we should upgrade to 1.6.5.1. Details are here:

http://www.jruby.org/2011/12/27/jruby-1-6-5-1.html

Since this is a moderate impact flaw that only affects a quickstart, the overall impact is low. We should upgrade the vulnerable component in the next release, whether this is 5.3.0 or a CP to 5.2.0.
Comment 1 David Jorm 2012-01-03 01:55:10 UTC 
Link: Added: This issue relates to JBESB-3725
Comment 2 tcunning 2012-01-03 18:35:27 UTC 
Upgraded on the JBESB_4_10_CP branch.
Comment 3 David Jorm 2012-03-07 04:52:00 UTC 
(In reply to comment #2)
> Upgraded on the JBESB_4_10_CP branch.

So just to clarify, this fix will be included in SOA-P 5.3.0, right?