[java-sig-commits] [Bug 1880101] New: CVE-2020-13920 activemq: improper authentication allows MITM attack

17 Sep 2020


      https://bugzilla.redhat.com/show_bug.cgi?id=1880101
Bug ID: 1880101
           Summary: CVE-2020-13920 activemq: improper authentication
                    allows MITM attack
           Product: Security Response
          Hardware: All
                OS: Linux
            Status: NEW
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-team@redhat.com
          Reporter: gsuckevi@redhat.com
                CC: aboyko@redhat.com, aileenc@redhat.com,
                    akoufoud@redhat.com, alazarot@redhat.com,
                    almorale@redhat.com, anstephe@redhat.com,
                    asoldano@redhat.com, atangrin@redhat.com,
                    ataylor@redhat.com, bbaranow@redhat.com,
                    bmaxwell@redhat.com, brian.stansberry@redhat.com,
                    cdewolf@redhat.com, chazlett@redhat.com,
                    darran.lofthouse@redhat.com, dblechte@redhat.com,
                    dfediuck@redhat.com, dkreling@redhat.com,
                    dosoudil@redhat.com, drieden@redhat.com,
                    eedri@redhat.com, eleandro@redhat.com,
                    etirelli@redhat.com, extras-orphan@fedoraproject.org,
                    ganandan@redhat.com, ggaughan@redhat.com,
                    gmalinko@redhat.com, gvarsami@redhat.com,
                    ibek@redhat.com, iweiss@redhat.com,
                    janstey@redhat.com,
                    java-sig-commits@lists.fedoraproject.org,
                    jawilson@redhat.com, jcoleman@redhat.com,
                    jochrist@redhat.com, jperkins@redhat.com,
                    jstastny@redhat.com, jwon@redhat.com,
                    kconner@redhat.com, krathod@redhat.com,
                    kverlaen@redhat.com, kwills@redhat.com,
                    ldimaggi@redhat.com, lef@fedoraproject.org,
                    lgao@redhat.com, mgoldboi@redhat.com,
                    michal.skrivanek@redhat.com, mnovotny@redhat.com,
                    msochure@redhat.com, msvehla@redhat.com,
                    nwallace@redhat.com, pdrozd@redhat.com,
                    pjindal@redhat.com, pmackay@redhat.com,
                    psotirop@redhat.com, puntogil@libero.it,
                    rguimara@redhat.com, rrajasek@redhat.com,
                    rstancel@redhat.com, rsvoboda@redhat.com,
                    rsynek@redhat.com, rwagner@redhat.com,
                    sbonazzo@redhat.com, sdaley@redhat.com,
                    sherold@redhat.com, smaestri@redhat.com,
                    sthorger@redhat.com, tcunning@redhat.com,
                    tkirby@redhat.com, tom.jenkinson@redhat.com,
                    yturgema@redhat.com
  Target Milestone: ---
    Classification: Other
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI
registry and binds the server to the "jmxrmi" entry. It is possible to connect
to the registry without authentication and call the rebind method to rebind
jmxrmi to something else. If an attacker creates another server to proxy the
original, and bound that, he effectively becomes a man in the middle and is
able to intercept the credentials when an user connects. Upgrade to Apache
ActiveMQ 5.15.12.
Reference:
http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcem...
-- 
You are receiving this mail because:
You are on the CC list for the bug.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

[java-sig-commits] [Bug 1880101] New: CVE-2020-13920 activemq: improper authentication allows MITM attack