oss-sec mailing list archives
Fwd: CVE-2015-0249: Apache Roller allows admin users to execute arbitrary Java code
From: Dave <snoopdave () gmail com>
Date: Mon, 30 Mar 2015 16:11:33 -0400
---------- Forwarded message ---------- From: Dave <snoopdave () gmail com> Date: Tue, Mar 24, 2015 at 7:22 PM Subject: CVE-2015-0249: Apache Roller allows admin users to execute arbitrary Java code To: "dev () roller apache org" <dev () roller apache org>, user () roller apache org Severity: Important Vendor: The Apache Software Foundation Versions Affected: Roller 5.1.1 Roller 5.1 The unsupported pre-Roller 5.1 versions may also be affected Description: A Roller user with Admin-level access to a weblog can edit a weblog page template and use special Velocity syntax to execute Java code on the server. Mitigation: There are several ways you can fix this vulnerability: 1) Upgrade to the latest version of Roller, which is now 5.1.2. 2) Or, add the following line to Roller's velocity.properties file: runtime.introspector.uberspect=org.apache.velocity.util.introspection.SecureUberspector 3) Or, disable template editing on your Roller system by un-checking the Allow Custom Themes setting in the Server Admin -> Configuration page, Theme Settings section. Credit: This issue was discovered by Gregory Draperi.
Current thread:
- Fwd: CVE-2015-0249: Apache Roller allows admin users to execute arbitrary Java code Dave (Mar 30)