JBoss ESB
  1. JBoss ESB
  2. JBESB-3884

jruby.jar as shipped with JBoss ESB exposes CVE-2012-5370

    Details

    • Type: Bug Bug
    • Status: Closed (View Workflow)
    • Priority: Major Major
    • Resolution: Done
    • Affects Version/s: 4.11
    • Fix Version/s: 4.11 CP2
    • Component/s: None
    • Labels:
      None
    • Similar Issues:
      Show 10 results 

      Description

      jruby.jar as shipped with JBoss ESB exposes CVE-2012-5370. We are shipping JRuby 1.6.5.1. The upstream Ruby language has replaced the vulnerable Murmur hash function / algorithm implementation with the SipHash-2-4 implementation:

      http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/

      An upstream fix is not yet available for JRuby. Once an upstream fix is available, we should incorporate it into a future release via a component upgrade.

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            David Jorm added a comment -

            An upstream patch is now available in JRuby 1.7.1:

            http://jruby.org/2012/12/03/jruby-1-7-1

            The relevant patch commit:

            https://github.com/jruby/jruby/commit/5e4aab28b26fd127112b76fabfac9a33b64caf77

            Show
            David Jorm added a comment - An upstream patch is now available in JRuby 1.7.1: http://jruby.org/2012/12/03/jruby-1-7-1 The relevant patch commit: https://github.com/jruby/jruby/commit/5e4aab28b26fd127112b76fabfac9a33b64caf77
            Hide
            Tom Cunningham added a comment -

            Upgraded to jruby 1.7.1

            Show
            Tom Cunningham added a comment - Upgraded to jruby 1.7.1

              People

              • Assignee:
                Tom Cunningham
                Reporter:
                David Jorm
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Development