High severityNVD Advisory· Published Jul 11, 2013· Updated Apr 29, 2026

CVE-2013-1777

Description

The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Community Edition 3.0.0.3 and other products, does not properly implement the RMI classloader, which allows remote attackers to execute arbitrary code by using the JMX connector to send a crafted serialized object.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.geronimo.framework:geronimo-jmx-remotingMaven	>= 3.0-beta-1, < 3.0.1	3.0.1

Affected products

Apache/Geronimo3 versions
cpe:2.3:a:apache:geronimo:3.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:apache:geronimo:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:geronimo:3.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:geronimo:3.0:m1:*:*:*:*:*:*
IBM/Websphere Application Server
cpe:2.3:a:ibm:websphere_application_server:3.0.0.3:-:community:*:*:*:*:*

Patches

ee031c5e62b0

set better classloader for jmx

https://github.com/apache/geronimoJarek GaworMar 19, 2013via ghsa

commit

2 files changed · +13 −4

framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/JMXConnector.java+4 −2 modified

@@ -192,21 +192,23 @@ public void doStart() throws Exception {
         if (applicationConfigName != null) {
             authenticator = new Authenticator(applicationConfigName, classLoader);
             String accessconfig = serverInfo.resolveServerPath("var/security/jmx_access.properties");
-	    env.put("jmx.remote.x.access.file",accessconfig);
+            env.put("jmx.remote.x.access.file", accessconfig);
             env.put(JMXConnectorServer.AUTHENTICATOR, authenticator);
         } else {
             log.warn("Starting unauthenticating JMXConnector for " + jmxServiceURL);
         }
         RMIServerSocketFactory serverSocketFactory = new GeronimoRMIServerSocketFactory(host);
         env.put(RMIConnectorServer.RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE, serverSocketFactory);
+        
         server = JMXConnectorServerFactory.newJMXConnectorServer(jmxServiceURL, env, mbeanServer);
         NotificationFilterSupport filter = new NotificationFilterSupport();
         filter.enableType(JMXConnectionNotification.OPENED);
         filter.enableType(JMXConnectionNotification.CLOSED);
         filter.enableType(JMXConnectionNotification.FAILED);
         server.addNotificationListener(authenticator, filter, null);
+        
         ClassLoader oldCl = Thread.currentThread().getContextClassLoader();
-        Thread.currentThread().setContextClassLoader(classLoader);
+        Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
         try {
             server.start();
         } finally {

framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/JMXSecureConnector.java+9 −2 modified

@@ -139,7 +139,7 @@ public void doStart() throws Exception {
         if (applicationConfigName != null) {
             authenticator = new Authenticator(applicationConfigName, classLoader);
             String accessconfig = serverInfo.resolveServerPath("var/security/jmx_access.properties");
-	    env.put("jmx.remote.x.access.file",accessconfig);
+            env.put("jmx.remote.x.access.file", accessconfig);
             env.put(JMXConnectorServer.AUTHENTICATOR, authenticator);
         } else {
             log.warn("Starting unauthenticating JMXConnector for " + jmxServiceURL);
@@ -157,7 +157,14 @@ public void doStart() throws Exception {
         filter.enableType(JMXConnectionNotification.CLOSED);
         filter.enableType(JMXConnectionNotification.FAILED);
         server.addNotificationListener(authenticator, filter, null);
-        server.start();
+        
+        ClassLoader oldCl = Thread.currentThread().getContextClassLoader();
+        Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
+        try {
+            server.start();
+        } finally {
+            Thread.currentThread().setContextClassLoader(oldCl);
+        }
         log.debug("Started JMXConnector " + server.getAddress());
     }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www-01.ibm.com/support/docview.wssnvdPatchVendor AdvisoryWEB
geronimo.apache.org/30x-security-report.htmlnvdVendor AdvisoryWEB
github.com/advisories/GHSA-v64w-96p6-fx7wghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2013-1777ghsaADVISORY
archives.neohapsis.com/archives/bugtraq/2013-07/0008.htmlnvdWEB
svn.apache.org/viewvc/geronimo/server/trunkghsaWEB
svn.apache.org/viewvcghsaWEB
github.com/apache/geronimo/commit/ee031c5e62b0d358250d06c2aa6722518579a6c5ghsaWEB
issues.apache.org/jira/browse/GERONIMO-6477nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.007
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000