|
|
|
|
| |
| On all platforms, JRun session management has a software defect that allows users to have duplicate sessions in specific circumstances. This effectively compromises session security. |
| |
Credit:
The information has been provided by Macromedia Security Alert.
|
| |
Affected software versions:
* JRun 3.1 (all editions)
* JRun 3.0 (all editions)
Example:
For a web application called "ctx", access to the default document without the trailing slash, like this:
http://[machinename]/ctx
Would give the user a session id that was already active instead of a new session.
Macromedia is currently working on one case that is very specific in its setup where the problem still occurs. Macromedia have not, as of yet, been able to reproduce this problem in house. Macromedia believes that the current workaround will be sufficient in a vast majority of the cases. You will be notified of an updated fix to this issue in the event that the current issue under investigation is, in fact, a JRun problem.
What Macromedia is doing:
Macromedia has published this bulletin, notifying customers of the problem and making a hotfix available. Macromedia also intends to patch this problem in the next cumulative release of JRun 3.1.
What customers should do:
Macromedia recommends that users download the patch corresponding to the JRun version you are running. JRun users can find the patch for installation at the following URIs. Instructions for installation are included:
* JRun 3.0: Hotfix 24049 for JRun 3.0
* JRun 3.1: Hotfix 24049 for JRun 3.1
The instructions for installation are contained in the jar file that you will be downloading. Please read the txt file included in the jar file for instructions on how to apply this patch. Macromedia has also included installation instructions in this document for your convenience.
Please note: As always, customers should test changes in a testing environment before modifying production servers.
Patch installation instructions:
In order to apply this patch, you should have the latest full security rollup for JRun 3.1 - build 16777. Please reference the following document:
MPSB01-06: JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting vulnerability (a.k.a. JavaScript code execution vulnerability)
Verifying the current version you currently have as follows:
To verify the current version, you can run the following commands:
Windows 2000/NT/Win9x command prompt:
cd "Program Files\Allaire\JRun\bin"
jrun -version
Unix/Linux
cd /opt/jrun/bin
jrun -version
Follow the steps below to apply the patch
1) Bring down all JRun servers running on a specific machine.
2) Place the JRun3x_HF_24049.jar in the JRun/lib directory.
3) Edit the /JRun/lib/global.properties file and add the hotfix .jar file to the FRONT of the jrun.classpath variable as in the example below:
jrun.classpath={jrun.rootdir}/lib/JRun3x_HF_24049.jar;{jrun.rootdir}/lib/ext;{jrun.rootdir}/lib/jrun.jar;{jrun.rootdir}/lib/install.jar;D:\\jdk1.3\\lib\\tools.jar
Note that you should replace the x with either "0" or "1" depending upon the version you are working with.
4) Restart the JRun servers.
Make sure the server(s) start up correctly by checking the /JRun/logs files for errors.
|
|
|
|
|
|
|
|
|
|
