[esb-issues] [JBoss JIRA] Commented: (JBESB-1561) Groovy security compromised

Tuesday, 26 February 2008

    [ http://jira.jboss.com/jira/browse/JBESB-1561?page=comments#action_12400577 ] 

Tom Fennelly commented on JBESB-1561:
-------------------------------------

So this action will only execute message payload based Groovy scripts if there is no
"script" property defined on the action.  I'll also add a
"supportMessageBasedScripting" property (default=false) and an explicit
"use with care" comment.

...
 Groovy security compromised
 ---------------------------

                 Key: JBESB-1561
                 URL: http://jira.jboss.com/jira/browse/JBESB-1561
             Project: JBoss ESB
          Issue Type: Bug
      Security Level: Public(Everyone can see) 
          Components: Rosetta, Adapters
    Affects Versions: 4.2.1 CP1
            Reporter: Martin Vecera
         Assigned To: Tom Fennelly
            Priority: Critical
             Fix For: 4.3, 4.2.1 CP2

         Attachments: malgroovy.tgz

 GroovyActionProcess allows execution of malicious code. This code can be sent via esb
message. See attached example (modified QS).
 Credit goes to Jirka Pechanec for this great idea!
 Proposed solution: code support for SecurityManager. 
-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

[esb-issues] [JBoss JIRA] Commented: (JBESB-1561) Groovy security compromised