JBoss ESB
  1. JBoss ESB
  2. JBESB-3884

jruby.jar as shipped with JBoss ESB exposes CVE-2012-5370

    Details

    • Type: Bug Bug
    • Status: Closed Closed (View Workflow)
    • Priority: Major Major
    • Resolution: Done
    • Affects Version/s: 4.11
    • Fix Version/s: 4.11 CP2
    • Component/s: None
    • Security Level: Public (Everyone can see)
    • Labels:
      None
    • Similar Issues:
      Show 10 results 

      Description

      jruby.jar as shipped with JBoss ESB exposes CVE-2012-5370. We are shipping JRuby 1.6.5.1. The upstream Ruby language has replaced the vulnerable Murmur hash function / algorithm implementation with the SipHash-2-4 implementation:

      http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/

      An upstream fix is not yet available for JRuby. Once an upstream fix is available, we should incorporate it into a future release via a component upgrade.

        Issue Links

          Activity

          Hide
          David Jorm
          added a comment -

          An upstream patch is now available in JRuby 1.7.1:

          http://jruby.org/2012/12/03/jruby-1-7-1

          The relevant patch commit:

          https://github.com/jruby/jruby/commit/5e4aab28b26fd127112b76fabfac9a33b64caf77

          Show
          David Jorm
          added a comment - An upstream patch is now available in JRuby 1.7.1: http://jruby.org/2012/12/03/jruby-1-7-1 The relevant patch commit: https://github.com/jruby/jruby/commit/5e4aab28b26fd127112b76fabfac9a33b64caf77
          Hide
          Tom Cunningham
          added a comment -

          Upgraded to jruby 1.7.1

          Show
          Tom Cunningham
          added a comment - Upgraded to jruby 1.7.1

            People

            • Assignee:
              Tom Cunningham
              Reporter:
              David Jorm
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: