JBoss Fuse
  1. JBoss Fuse
  2. ENTESB-454

jruby.jar as shipped with Fuse ESB Enterprise exposes CVE-2012-5370

    Details

    • Type: Bug Bug
    • Status: Resolved Resolved
    • Priority: Minor Minor
    • Resolution: Done
    • Affects Version/s: 7.0.2, 7.1.0
    • Fix Version/s: 7.1.0, jboss-fuse-6.0
    • Component/s: None
    • Labels:
      None
    • Similar Issues:
      Show 7 results 

      Description

      jruby.jar as shipped with Fuse ESB Enterprise exposes CVE-2012-5370. We are shipping JRuby 1.6.7. The upstream Ruby language has replaced the vulnerable Murmur hash function / algorithm implementation with the SipHash-2-4 implementation:

      http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/

      An upstream fix is not yet available for JRuby. Once an upstream fix is available, we should incorporate it into a future release via a component upgrade.

        Activity

        Hide
        David Jorm
        added a comment -

        An upstream patch is now available in JRuby 1.7.1:

        http://jruby.org/2012/12/03/jruby-1-7-1

        The relevant patch commit:

        https://github.com/jruby/jruby/commit/5e4aab28b26fd127112b76fabfac9a33b64caf77

        Show
        David Jorm
        added a comment - An upstream patch is now available in JRuby 1.7.1: http://jruby.org/2012/12/03/jruby-1-7-1 The relevant patch commit: https://github.com/jruby/jruby/commit/5e4aab28b26fd127112b76fabfac9a33b64caf77
        Hide
        Claus Ibsen
        added a comment -

        jruby 1.7.1 is released and in central maven repo.

        Show
        Claus Ibsen
        added a comment - jruby 1.7.1 is released and in central maven repo.
        Hide
        Claus Ibsen
        added a comment -

        Upgraded to jruby 1.7.1 at Apache Camel.
        Will backport these fixes to Fuse Camel trunk / 2.10 and 2.9 branches.

        Show
        Claus Ibsen
        added a comment - Upgraded to jruby 1.7.1 at Apache Camel. Will backport these fixes to Fuse Camel trunk / 2.10 and 2.9 branches.
        Hide
        Claus Ibsen
        added a comment -

        Yeah ought to be fixed as Camel is pulling in ruby using the camel-ruby and its now using 1.7.1

        Show
        Claus Ibsen
        added a comment - Yeah ought to be fixed as Camel is pulling in ruby using the camel-ruby and its now using 1.7.1
        Hide
        Aileen Cunningham
        added a comment - - edited

        Feedback from Arun on CR1

        Can you confirm that this fix is in JBoss Fuse 6.0?

        4) http://fusesource.com/issues/browse/ENTESB-454 - We seem to ship
        jruby-1.1 along with the servicemix bundles.
        (org.apache.servicemix.bundles.jruby-1.1.2_3.jar). I was not able to
        find the fix in the jar. Can engineering please confirm? Can we upgrade
        this?

        Test of a patch:
        > FAIL : Check for Ruby.isSiphashEnabled method
        > FAIL : Check for org.jruby.util.PerlHash
        > CVE-2012-5371: Patch not found

        Show
        Aileen Cunningham
        added a comment - - edited Feedback from Arun on CR1 Can you confirm that this fix is in JBoss Fuse 6.0? 4) http://fusesource.com/issues/browse/ENTESB-454 - We seem to ship jruby-1.1 along with the servicemix bundles. (org.apache.servicemix.bundles.jruby-1.1.2_3.jar). I was not able to find the fix in the jar. Can engineering please confirm? Can we upgrade this? Test of a patch: > FAIL : Check for Ruby.isSiphashEnabled method > FAIL : Check for org.jruby.util.PerlHash > CVE-2012-5371: Patch not found
        Show
        Jonathan Anstey
        added a comment - There were a few places that had to be updated on the ESB side. Should be complete now. https://issues.apache.org/jira/browse/SMXCOMP-971 http://fusesource.com/forge/git/esbcomponents.git/?p=esbcomponents.git;a=commit;h=edaf8b7dcc3ec9708c0677b26ce643ec2982d99e https://issues.apache.org/jira/browse/SMX4-1424 http://fusesource.com/forge/git/esbfeatures.git/?p=esbfeatures.git;a=commit;h=8a3b01df6d2062efbbaae12ed2ad1d7bc1d3ae13 smx 5 trunk http://svn.apache.org/r1462619 fuseenterprise http://fusesource.com/forge/git/fuseenterprise.git/?p=fuseenterprise.git;a=commit;h=1d91c937d5ee065bbf010897fa0a331074cb5628

          People

          • Assignee:
            Claus Ibsen
            Reporter:
            David Jorm
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: