[
http://jira.jboss.com/jira/browse/JBESB-1561?page=comments#action_12400569 ]
Tom Fennelly commented on JBESB-1561:
-------------------------------------
Sure... from memory I thought there was a config property that needed to be set before
message based scripts could be executed. I guess not then!!
Groovy security compromised
---------------------------
Key: JBESB-1561
URL:
http://jira.jboss.com/jira/browse/JBESB-1561
Project: JBoss ESB
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Rosetta, Adapters
Affects Versions: 4.2.1 CP1
Reporter: Martin Vecera
Assigned To: Tom Fennelly
Priority: Critical
Fix For: 4.3, 4.2.1 CP2
Attachments: malgroovy.tgz
GroovyActionProcess allows execution of malicious code. This code can be sent via esb
message. See attached example (modified QS).
Credit goes to Jirka Pechanec for this great idea!
Proposed solution: code support for SecurityManager.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira