Uploaded image for project: 'JBoss ESB'
  1. JBoss ESB
  2. JBESB-3884

jruby.jar as shipped with JBoss ESB exposes CVE-2012-5370

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 4.11
    • Fix Version/s: 4.11 CP2
    • Component/s: None
    • Labels:
      None

      Description

      jruby.jar as shipped with JBoss ESB exposes CVE-2012-5370. We are shipping JRuby 1.6.5.1. The upstream Ruby language has replaced the vulnerable Murmur hash function / algorithm implementation with the SipHash-2-4 implementation:

      http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/

      An upstream fix is not yet available for JRuby. Once an upstream fix is available, we should incorporate it into a future release via a component upgrade.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  tcunning Tom Cunningham
                  Reporter:
                  dfj David Jorm
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: