https://bugzilla.redhat.com/show_bug.cgi?id=1880101
Bug ID: 1880101 Summary: CVE-2020-13920 activemq: improper authentication allows MITM attack Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, asoldano@redhat.com, atangrin@redhat.com, ataylor@redhat.com, bbaranow@redhat.com, bmaxwell@redhat.com, brian.stansberry@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, darran.lofthouse@redhat.com, dblechte@redhat.com, dfediuck@redhat.com, dkreling@redhat.com, dosoudil@redhat.com, drieden@redhat.com, eedri@redhat.com, eleandro@redhat.com, etirelli@redhat.com, extras-orphan@fedoraproject.org, ganandan@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, gvarsami@redhat.com, ibek@redhat.com, iweiss@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jcoleman@redhat.com, jochrist@redhat.com, jperkins@redhat.com, jstastny@redhat.com, jwon@redhat.com, kconner@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, ldimaggi@redhat.com, lef@fedoraproject.org, lgao@redhat.com, mgoldboi@redhat.com, michal.skrivanek@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, nwallace@redhat.com, pdrozd@redhat.com, pjindal@redhat.com, pmackay@redhat.com, psotirop@redhat.com, puntogil@libero.it, rguimara@redhat.com, rrajasek@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, rwagner@redhat.com, sbonazzo@redhat.com, sdaley@redhat.com, sherold@redhat.com, smaestri@redhat.com, sthorger@redhat.com, tcunning@redhat.com, tkirby@redhat.com, tom.jenkinson@redhat.com, yturgema@redhat.com Target Milestone: --- Classification: Other
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.
Reference: http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcem...
https://bugzilla.redhat.com/show_bug.cgi?id=1880101
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1880102
https://bugzilla.redhat.com/show_bug.cgi?id=1880101
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |Apache ActiveMQ 5.15.12
https://bugzilla.redhat.com/show_bug.cgi?id=1880101
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects.
https://bugzilla.redhat.com/show_bug.cgi?id=1880101
--- Comment #15 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.9
Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1880101
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1880101
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2021-08-11 19:28:26
--- Comment #16 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-13920
https://bugzilla.redhat.com/show_bug.cgi?id=1880101
--- Comment #17 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Integration
Via RHSA-2021:3205 https://access.redhat.com/errata/RHSA-2021:3205
https://bugzilla.redhat.com/show_bug.cgi?id=1880101
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3205
https://bugzilla.redhat.com/show_bug.cgi?id=1880101
--- Comment #18 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Integration
Via RHSA-2021:3207 https://access.redhat.com/errata/RHSA-2021:3207
https://bugzilla.redhat.com/show_bug.cgi?id=1880101
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3207
java-sig-commits@lists.fedoraproject.org