Jarek Gawor

**Name of the Vulnerable Software and Affected Versions** Apache Geronimo versions 3.0.0 through 3.0.1 IBM WebSphere Application Server (WAS) Community Edition version 3.0.0.3 **Description** The issue is related to the JMX Remoting functionality, which does not properly implement the RMI classloader. This allows remote attackers to execute arbitrary code by sending a crafted serialized object using the JMX connector. **Recommendations** For Apache Geronimo versions 3.0.0 through 3.0.1, update to version 3.0.1 or later. For IBM WebSphere Application Server (WAS) Community Edition version 3.0.0.3, consider disabling the JMX Remoting functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apache Geronimo versions 2.0 through 2.1 **Description** The issue allows remote attackers to bypass authentication by attempting to log in with any username not contained in the database, as the SQLLoginModule does not throw an exception for a nonexistent username. **Recommendations** For Apache Geronimo versions 2.0 through 2.1, consider temporarily restricting access to the SQLLoginModule until a patch is available. As a workaround, monitor login attempts closely to detect and prevent potential unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.