Details
-
Task
-
Resolution: Done
-
Blocker
-
EAP_EWP 5.1.0
-
None
-
Release Notes
-
-
-
Documented as Resolved Issue
Description
CVE-2009-2693 tomcat: unexpected file deletion and/or alteration
This was tested on EAP 5.1.0 CR3.5 and was not fixed. Creating a JIRA to address in the next release.
-
-
- CVE-2009-2693 tomcat: unexpected file deletion and/or alteration
NOT FIXED
Deploy JBPAPP-3848-01.war from JBPAPP-3848 and than check content of run.sh/run.bat.
Files can be still replaced, created outside of deploy directory.
- CVE-2009-2693 tomcat: unexpected file deletion and/or alteration
-
From Mike Milson:
EAP 5.1.0 CR3.5 includes common core 2.2.16.GA[1]:
<version.org.jboss.common.core>2.2.16.GA</version.org.jboss.common.core>
The fix that was added to the EAP 4.2/4.3 commons CP branch[2] does not appear to have made it into common-core for EAP 5, at least I don't see it in trunk[3].
References:
[1]http://anonsvn.jboss.org/repos/jbossas/tags/JBPAPP_5_1_0_CR3.5/component-matrix/pom.xml
[2]http://fisheye.jboss.org/browse/JBossCommon/common-old/branches/JBossCommon_1_2_1_GA_CP/src/main/org/jboss/util/file/JarUtils.java?r1=4240&r2=4241
[3]http://fisheye.jboss.org/browse/JBossCommon/common-core/trunk/src/main/java/org/jboss/util/file/JarUtils.java
From Marc:
Hi, this is a low severity bug[1], as it mainly affects installations where you cannot per se trust the deployed apps (cloud, shared hosting).
The correct revision fixing this issue is 1384 of 2.1.x JBossWeb branch [2].
[1] http://tomcat.apache.org/security-6.html
[2] http://intranet.corp.redhat.com/ic/intranet/JBossWebCVE.html