Details
-
Bug
-
Resolution: Done
-
Minor
-
fuse-esb-7.0.2, fuse-esb-7.1.0
-
None
-
None
-
%
Description
jruby.jar as shipped with Fuse ESB Enterprise exposes CVE-2012-5370. We are shipping JRuby 1.6.7. The upstream Ruby language has replaced the vulnerable Murmur hash function / algorithm implementation with the SipHash-2-4 implementation:
http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/
An upstream fix is not yet available for JRuby. Once an upstream fix is available, we should incorporate it into a future release via a component upgrade.