781053 – (SOA-3539) jruby.jar as shipped with the scripting_chain quickstart exposes CVE-2010-1330

Bug 781053 (SOA-3539) - jruby.jar as shipped with the scripting_chain quickstart exposes CVE-2010-1330

Summary: jruby.jar as shipped with the scripting_chain quickstart exposes CVE-2010-1330

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	SOA-3539
Product:	JBoss Enterprise SOA Platform 5
Classification:	JBoss
Component:	Examples
Sub Component:
Version:	5.2.0.ER5
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	5.2.0 GA,5.2.0.CR1
Assignee:	Douglas Palmer
QA Contact:
Docs Contact:
URL:	http://jira.jboss.org/jira/browse/SOA...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-11-01 02:29 UTC by David Jorm
Modified:	2014-10-21 00:02 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-11-14 09:27:41 UTC
Type:	Bug

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	781061	medium	CLOSED	CLONE - jruby.jar as shipped with the scripting_chain quickstart exposes CVE-2010-1330	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	781062	medium	CLOSED	CLONE - jruby.jar as shipped with the scripting_chain quickstart exposes CVE-2010-1330	2021-02-22 00:41:40 UTC
Red Hat Issue Tracker	JBESB-3706	Major	Closed	Upgrade jruby to 1.6.5	2013-02-28 04:06:56 UTC
Red Hat Issue Tracker	SOA-3539	Minor	Closed	jruby.jar as shipped with the scripting_chain quickstart exposes CVE-2010-1330	2013-02-28 04:06:56 UTC

Internal Links: 781061 781062

Description David Jorm 2011-11-01 02:29:00 UTC

project_key: SOA

The jruby.jar file shipped with the scripting_chain quickstart appears to be vulnerable to CVE-2010-1330:

jboss-as/samples/quickstarts/scripting_chain/lib/jruby.jar

I have been unable to determine the exact version of jruby.jar that we are shipping, as it doesn't match any of the upstream md5sums and the MANIFEST.MF does not specify the version. Based on what I can see in MANIFEST.MF and the unpacked structure of the jar, it is likely to be version 1.1.x or 1.2.0. To mitigate this flaw, we should upgrade to >= 1.4.1 or >= 1.5.0. Details are here:

http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html

Since this is a moderate impact flaw that only affects a quickstart, the overall impact is low. We should upgrade the vulnerable component in the next release. If it is possible to squeeze this update into 5.2.0 that would be ideal, but I'm not calling it a blocker.

Comment 1 tcunning 2011-11-02 04:23:09 UTC

Link: Added: This issue relates to JBESB-3706

Comment 2 Douglas Palmer 2011-11-02 10:16:00 UTC

Link: Added: This issue Cloned to SOA-3547

Comment 3 Douglas Palmer 2011-11-02 10:17:47 UTC

Link: Added: This issue Cloned to SOA-3548

Comment 4 David Le Sage 2011-11-03 22:16:24 UTC

Release Notes Docs Status: Added: Not Required
Writer: Added: dlesage

Comment 5 Jiri Pechanec 2011-11-14 09:27:41 UTC

Verified in CR1

Note You need to log in before you can comment on or make changes to this bug.