Bug 781177 (SOA-3680) - jruby.jar as shipped with the scripting_chain quickstart exposes CVE-2011-4838
Summary: jruby.jar as shipped with the scripting_chain quickstart exposes CVE-2011-4838
Keywords:
Status: CLOSED NEXTRELEASE
Alias: SOA-3680
Product: JBoss Enterprise SOA Platform 5
Classification: JBoss
Component: Examples
Version: 5.2.0 GA
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 5.3.0 GA
Assignee: Douglas Palmer
QA Contact:
URL: http://jira.jboss.org/jira/browse/SOA...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-03 01:42 UTC by David Jorm
Modified: 2014-10-21 00:02 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-03 18:35:27 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBESB-3725 0 None Closed Upgrade JRuby to 1.6.5.1 2012-03-09 04:27:39 UTC
Red Hat Issue Tracker SOA-3680 0 None Closed jruby.jar as shipped with the scripting_chain quickstart exposes CVE-2011-4838 2012-03-09 04:27:38 UTC

Description David Jorm 2012-01-03 01:42:31 UTC 
project_key: SOA

The jruby.jar file shipped with the scripting_chain quickstart is vulnerable to CVE-2011-4838:

jboss-as/samples/quickstarts/scripting_chain/lib/jruby.jar

We are shipping JRuby 1.6.5. To mitigate this flaw, we should upgrade to 1.6.5.1. Details are here:

http://www.jruby.org/2011/12/27/jruby-1-6-5-1.html

Since this is a moderate impact flaw that only affects a quickstart, the overall impact is low. We should upgrade the vulnerable component in the next release, whether this is 5.3.0 or a CP to 5.2.0.
Comment 1 David Jorm 2012-01-03 01:55:10 UTC 
Link: Added: This issue relates to JBESB-3725
Comment 2 tcunning 2012-01-03 18:35:27 UTC 
Upgraded on the JBESB_4_10_CP branch.
Comment 3 David Jorm 2012-03-07 04:52:00 UTC 
(In reply to comment #2)
> Upgraded on the JBESB_4_10_CP branch.

So just to clarify, this fix will be included in SOA-P 5.3.0, right?
Note You need to log in before you can comment on or make changes to this bug.