JBoss Fuse
  1. JBoss Fuse
  2. ENTESB-454

jruby.jar as shipped with Fuse ESB Enterprise exposes CVE-2012-5370

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Done
    • Affects Version/s: fuse-esb-7.0.2, fuse-esb-7.1.0
    • Fix Version/s: fuse-esb-7.1.0, jboss-fuse-6.0
    • Component/s: None
    • Labels:
      None
    • Similar Issues:
      Show 7 results 

      Description

      jruby.jar as shipped with Fuse ESB Enterprise exposes CVE-2012-5370. We are shipping JRuby 1.6.7. The upstream Ruby language has replaced the vulnerable Murmur hash function / algorithm implementation with the SipHash-2-4 implementation:

      http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/

      An upstream fix is not yet available for JRuby. Once an upstream fix is available, we should incorporate it into a future release via a component upgrade.

        Gliffy Diagrams

          Activity

          Hide
          David Jorm added a comment -

          An upstream patch is now available in JRuby 1.7.1:

          http://jruby.org/2012/12/03/jruby-1-7-1

          The relevant patch commit:

          https://github.com/jruby/jruby/commit/5e4aab28b26fd127112b76fabfac9a33b64caf77

          Show
          David Jorm added a comment - An upstream patch is now available in JRuby 1.7.1: http://jruby.org/2012/12/03/jruby-1-7-1 The relevant patch commit: https://github.com/jruby/jruby/commit/5e4aab28b26fd127112b76fabfac9a33b64caf77
          Hide
          Claus Ibsen added a comment -

          jruby 1.7.1 is released and in central maven repo.

          Show
          Claus Ibsen added a comment - jruby 1.7.1 is released and in central maven repo.
          Hide
          Claus Ibsen added a comment -

          Upgraded to jruby 1.7.1 at Apache Camel.
          Will backport these fixes to Fuse Camel trunk / 2.10 and 2.9 branches.

          Show
          Claus Ibsen added a comment - Upgraded to jruby 1.7.1 at Apache Camel. Will backport these fixes to Fuse Camel trunk / 2.10 and 2.9 branches.
          Hide
          Claus Ibsen added a comment -

          Yeah ought to be fixed as Camel is pulling in ruby using the camel-ruby and its now using 1.7.1

          Show
          Claus Ibsen added a comment - Yeah ought to be fixed as Camel is pulling in ruby using the camel-ruby and its now using 1.7.1
          Hide
          Aileen Cunningham added a comment - - edited

          Feedback from Arun on CR1

          Can you confirm that this fix is in JBoss Fuse 6.0?

          4) http://fusesource.com/issues/browse/ENTESB-454 - We seem to ship
          jruby-1.1 along with the servicemix bundles.
          (org.apache.servicemix.bundles.jruby-1.1.2_3.jar). I was not able to
          find the fix in the jar. Can engineering please confirm? Can we upgrade
          this?

          Test of a patch:
          > FAIL : Check for Ruby.isSiphashEnabled method
          > FAIL : Check for org.jruby.util.PerlHash
          > CVE-2012-5371: Patch not found

          Show
          Aileen Cunningham added a comment - - edited Feedback from Arun on CR1 Can you confirm that this fix is in JBoss Fuse 6.0? 4) http://fusesource.com/issues/browse/ENTESB-454 - We seem to ship jruby-1.1 along with the servicemix bundles. (org.apache.servicemix.bundles.jruby-1.1.2_3.jar). I was not able to find the fix in the jar. Can engineering please confirm? Can we upgrade this? Test of a patch: > FAIL : Check for Ruby.isSiphashEnabled method > FAIL : Check for org.jruby.util.PerlHash > CVE-2012-5371: Patch not found
          Show
          Jonathan Anstey added a comment - There were a few places that had to be updated on the ESB side. Should be complete now. https://issues.apache.org/jira/browse/SMXCOMP-971 http://fusesource.com/forge/git/esbcomponents.git/?p=esbcomponents.git;a=commit;h=edaf8b7dcc3ec9708c0677b26ce643ec2982d99e https://issues.apache.org/jira/browse/SMX4-1424 http://fusesource.com/forge/git/esbfeatures.git/?p=esbfeatures.git;a=commit;h=8a3b01df6d2062efbbaae12ed2ad1d7bc1d3ae13 smx 5 trunk http://svn.apache.org/r1462619 fuseenterprise http://fusesource.com/forge/git/fuseenterprise.git/?p=fuseenterprise.git;a=commit;h=1d91c937d5ee065bbf010897fa0a331074cb5628

            People

            • Assignee:
              Claus Ibsen
              Reporter:
              David Jorm
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: