Effective October 27, 2012, online and email support for FuseSource products will move to Red Hat support channels. For more information, please see the JIRA Migration to Red Hat FAQ.
As of October 27th, please open all new issues in the Red Hat Customer Portal .
Issue Details (XML | Word | Printable)

Key: ENTESB-454
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Minor Minor
Assignee: Claus Ibsen
Reporter: David Jorm
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Fuse ESB Enterprise

jruby.jar as shipped with Fuse ESB Enterprise exposes CVE-2012-5370

Created: 29/Nov/12 06:06 AM   Updated: 29/Mar/13 08:18 PM
Component/s: None
Affects Version/s: 7.0.2, 7.1.0
Fix Version/s: 7.1.0, jboss-fuse-6.0


 Description  « Hide
jruby.jar as shipped with Fuse ESB Enterprise exposes CVE-2012-5370. We are shipping JRuby 1.6.7. The upstream Ruby language has replaced the vulnerable Murmur hash function / algorithm implementation with the SipHash-2-4 implementation:

http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/

An upstream fix is not yet available for JRuby. Once an upstream fix is available, we should incorporate it into a future release via a component upgrade.

 All   Comments   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
David Jorm added a comment - 14/Dec/12 06:38 AM
An upstream patch is now available in JRuby 1.7.1:

http://jruby.org/2012/12/03/jruby-1-7-1

The relevant patch commit:

https://github.com/jruby/jruby/commit/5e4aab28b26fd127112b76fabfac9a33b64caf77


[ Permlink | « Hide ]
Claus Ibsen added a comment - 14/Dec/12 07:46 AM
jruby 1.7.1 is released and in central maven repo.

[ Permlink | « Hide ]
Claus Ibsen added a comment - 14/Dec/12 09:15 AM
Upgraded to jruby 1.7.1 at Apache Camel.
Will backport these fixes to Fuse Camel trunk / 2.10 and 2.9 branches.

[ Permlink | « Hide ]
Claus Ibsen added a comment - 19/Dec/12 11:44 AM
Yeah ought to be fixed as Camel is pulling in ruby using the camel-ruby and its now using 1.7.1

[ Permlink | « Hide ]
Aileen Cunningham added a comment - 28/Mar/13 11:02 AM - edited
Feedback from Arun on CR1

Can you confirm that this fix is in JBoss Fuse 6.0?

4) http://fusesource.com/issues/browse/ENTESB-454 - We seem to ship
jruby-1.1 along with the servicemix bundles.
(org.apache.servicemix.bundles.jruby-1.1.2_3.jar). I was not able to
find the fix in the jar. Can engineering please confirm? Can we upgrade
this?

Test of a patch:
> FAIL : Check for Ruby.isSiphashEnabled method
> FAIL : Check for org.jruby.util.PerlHash
> CVE-2012-5371: Patch not found
Powered by Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators