https://bugzilla.redhat.com/show_bug.cgi?id=1317516
Bug ID: 1317516 Summary: CVE-2016-0782 activemq: Cross-site scripting vulnerabilities in web console Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: abhgupta@redhat.com, agrimm@redhat.com, aileenc@redhat.com, ccoleman@redhat.com, chazlett@redhat.com, dmcphers@redhat.com, gvarsami@redhat.com, java-sig-commits@lists.fedoraproject.org, jcoleman@redhat.com, jialiu@redhat.com, joelsmith@redhat.com, jokerman@redhat.com, kconner@redhat.com, kseifried@redhat.com, ldimaggi@redhat.com, lmeyer@redhat.com, mmccomas@redhat.com, nwallace@redhat.com, pavelp@redhat.com, puntogil@libero.it, rwagner@redhat.com, soa-p-jira@post-office.corp.redhat.com, s@shk.io, tcunning@redhat.com, tdawson@redhat.com, tiwillia@redhat.com, tkirby@redhat.com
Several instances of cross-site scripting vulnerabilities were identified to be present in the web based administration console as well as the ability to trigger a Java memory dump into an arbitrary folder. The root cause of these issues are improper user data output validation and incorrect permissions configured on Jolokia.
Affected versions: ActiveMQ 5.0.0 - 5.13.1
External Reference:
http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announceme...
https://bugzilla.redhat.com/show_bug.cgi?id=1317516
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1317521 Depends On| |1317522
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1317522 [Bug 1317522] CVE-2016-0734 CVE-2016-0782 activemq: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1317516
--- Comment #2 from Adam Mariš amaris@redhat.com ---
Created activemq tracking bugs for this issue:
Affects: fedora-all [bug 1317522]
https://bugzilla.redhat.com/show_bug.cgi?id=1317516 Bug 1317516 depends on bug 1317522, which changed state.
Bug 1317522 Summary: CVE-2016-0734 CVE-2016-0782 activemq: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1317522
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1317516
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1317528
https://bugzilla.redhat.com/show_bug.cgi?id=1317516
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0310,reported=20160310,sour |0310,reported=20160310,sour |ce=oss-security,cvss2=4.3/A |ce=oss-security,cvss2=4.3/A |V:N/AC:M/Au:N/C:N/I:P/A:N,c |V:N/AC:M/Au:N/C:N/I:P/A:N,c |we=CWE-79,amq-6/activemq=af |we=CWE-79,amq-6/activemq=af |fected,fuse-6/activemq=affe |fected,fuse-6/activemq=nota |cted,fsw-6/activemq=affecte |ffected,fsw-6/activemq=affe |d,openshift-enterprise-2/ac |cted,openshift-enterprise-2 |tivemq=affected,openshift-1 |/activemq=affected,openshif |/activemq=affected,fedora-a |t-1/activemq=affected,fedor |ll/activemq=affected |a-all/activemq=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1317516
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0310,reported=20160310,sour |0310,reported=20160310,sour |ce=oss-security,cvss2=4.3/A |ce=oss-security,cvss2=4.3/A |V:N/AC:M/Au:N/C:N/I:P/A:N,c |V:N/AC:M/Au:N/C:N/I:P/A:N,c |we=CWE-79,amq-6/activemq=af |we=CWE-79,amq-6/activemq=af |fected,fuse-6/activemq=nota |fected/impact=low/cvss2=3.5 |ffected,fsw-6/activemq=affe |/AV:N/AC:M/Au:S/C:N/I:P/A:N |cted,openshift-enterprise-2 |,fuse-6/activemq=notaffecte |/activemq=affected,openshif |d,fsw-6/activemq=affected,o |t-1/activemq=affected,fedor |penshift-enterprise-2/activ |a-all/activemq=affected |emq=affected,openshift-1/ac | |tivemq=affected,fedora-all/ | |activemq=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1317516
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0310,reported=20160310,sour |0310,reported=20160310,sour |ce=oss-security,cvss2=4.3/A |ce=oss-security,cvss2=4.3/A |V:N/AC:M/Au:N/C:N/I:P/A:N,c |V:N/AC:M/Au:N/C:N/I:P/A:N,c |we=CWE-79,amq-6/activemq=af |we=CWE-79,amq-6/activemq=af |fected/impact=low/cvss2=3.5 |fected/impact=low/cvss2=3.5 |/AV:N/AC:M/Au:S/C:N/I:P/A:N |/AV:N/AC:M/Au:S/C:N/I:P/A:N |,fuse-6/activemq=notaffecte |,fuse-6/activemq=notaffecte |d,fsw-6/activemq=affected,o |d,fsw-6/activemq=affected,o |penshift-enterprise-2/activ |penshift-enterprise-2/activ |emq=affected,openshift-1/ac |emq=affected/impact=low/cvs |tivemq=affected,fedora-all/ |s2=1.5/AV:L/AC:M/Au:S/C:N/I |activemq=affected |:P/A:N,openshift-1/activemq | |=affected,fedora-all/active | |mq=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1317516
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0310,reported=20160310,sour |0310,reported=20160310,sour |ce=oss-security,cvss2=4.3/A |ce=oss-security,cvss2=4.3/A |V:N/AC:M/Au:N/C:N/I:P/A:N,c |V:N/AC:M/Au:N/C:N/I:P/A:N,c |we=CWE-79,amq-6/activemq=af |we=CWE-79,amq-6/activemq=af |fected/impact=low/cvss2=3.5 |fected/impact=low/cvss2=3.5 |/AV:N/AC:M/Au:S/C:N/I:P/A:N |/AV:N/AC:M/Au:S/C:N/I:P/A:N |,fuse-6/activemq=notaffecte |,fuse-6/activemq=notaffecte |d,fsw-6/activemq=affected,o |d,fsw-6/activemq=affected,o |penshift-enterprise-2/activ |penshift-enterprise-2/activ |emq=affected/impact=low/cvs |emq=affected/impact=low/cvs |s2=1.5/AV:L/AC:M/Au:S/C:N/I |s2=1.5/AV:L/AC:M/Au:S/C:N/I |:P/A:N,openshift-1/activemq |:P/A:N,openshift-1/activemq |=affected,fedora-all/active |=affected/impact=low/cvss2= |mq=affected |1.5/AV:L/AC:M/Au:S/C:N/I:P/ | |A:N,fedora-all/activemq=aff | |ected
https://bugzilla.redhat.com/show_bug.cgi?id=1317516
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0310,reported=20160310,sour |0310,reported=20160310,sour |ce=oss-security,cvss2=4.3/A |ce=oss-security,cvss2=4.3/A |V:N/AC:M/Au:N/C:N/I:P/A:N,c |V:N/AC:M/Au:N/C:N/I:P/A:N,c |we=CWE-79,amq-6/activemq=af |we=CWE-79,amq-6/activemq=af |fected/impact=low/cvss2=3.5 |fected/impact=low/cvss2=3.5 |/AV:N/AC:M/Au:S/C:N/I:P/A:N |/AV:N/AC:M/Au:S/C:N/I:P/A:N |,fuse-6/activemq=notaffecte |,fuse-6/activemq=notaffecte |d,fsw-6/activemq=affected,o |d,fsw-6/activemq=affected,o |penshift-enterprise-2/activ |penshift-enterprise-2/activ |emq=affected/impact=low/cvs |emq=affected/impact=low/cvs |s2=1.5/AV:L/AC:M/Au:S/C:N/I |s2=1.5/AV:L/AC:M/Au:S/C:N/I |:P/A:N,openshift-1/activemq |:P/A:N,openshift-1/activemq |=affected/impact=low/cvss2= |=affected/impact=low/cvss2= |1.5/AV:L/AC:M/Au:S/C:N/I:P/ |1.5/AV:L/AC:M/Au:S/C:N/I:P/ |A:N,fedora-all/activemq=aff |A:N,fedora-all/activemq=not |ected |affected
https://bugzilla.redhat.com/show_bug.cgi?id=1317516
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |low CC| |jshepherd@redhat.com Severity|medium |low
https://bugzilla.redhat.com/show_bug.cgi?id=1317516
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|low |medium Severity|low |medium
https://bugzilla.redhat.com/show_bug.cgi?id=1317516
xiaohui Wu xiwu@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |xiwu@redhat.com
--- Comment #3 from xiaohui Wu xiwu@redhat.com --- https://issues.jboss.org/browse/ENTMQ-1586 was opened to track
https://bugzilla.redhat.com/show_bug.cgi?id=1317516
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1353267
https://bugzilla.redhat.com/show_bug.cgi?id=1317516
--- Doc Text *updated* by Chess Hazlett chazlett@redhat.com --- It was found that Apache Active MQ administration web console did not validate input correctly when creating a queue. An authenticated attacker could exploit this flaw via cross-site scripting and use it to access sensitive information or further attacks.
https://bugzilla.redhat.com/show_bug.cgi?id=1317516
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0310,reported=20160310,sour |0310,reported=20160310,sour |ce=oss-security,cvss2=4.3/A |ce=oss-security,cvss2=3.5/A |V:N/AC:M/Au:N/C:N/I:P/A:N,c |V:N/AC:M/Au:S/C:P/I:N/A:N,c |we=CWE-79,amq-6/activemq=af |we=CWE-79,amq-6/activemq=af |fected/impact=low/cvss2=3.5 |fected/impact=low,fuse-6/ac |/AV:N/AC:M/Au:S/C:N/I:P/A:N |tivemq=notaffected,fsw-6/ac |,fuse-6/activemq=notaffecte |tivemq=affected,openshift-e |d,fsw-6/activemq=affected,o |nterprise-2/activemq=affect |penshift-enterprise-2/activ |ed/impact=low/cvss2=1.5/AV: |emq=affected/impact=low/cvs |L/AC:M/Au:S/C:N/I:P/A:N,ope |s2=1.5/AV:L/AC:M/Au:S/C:N/I |nshift-1/activemq=affected/ |:P/A:N,openshift-1/activemq |impact=low/cvss2=1.5/AV:L/A |=affected/impact=low/cvss2= |C:M/Au:S/C:N/I:P/A:N,fedora |1.5/AV:L/AC:M/Au:S/C:N/I:P/ |-all/activemq=notaffected |A:N,fedora-all/activemq=not | |affected |
https://bugzilla.redhat.com/show_bug.cgi?id=1317516
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0310,reported=20160310,sour |0310,reported=20160310,sour |ce=oss-security,cvss2=3.5/A |ce=oss-security,cvss2=3.5/A |V:N/AC:M/Au:S/C:P/I:N/A:N,c |V:N/AC:M/Au:S/C:P/I:N/A:N,c |we=CWE-79,amq-6/activemq=af |vss3=4.2/CVSS:3.0/AV:N/AC:H |fected/impact=low,fuse-6/ac |/PR:H/UI:R/S:U/C:H/I:N/A:N, |tivemq=notaffected,fsw-6/ac |cwe=CWE-79,amq-6/activemq=a |tivemq=affected,openshift-e |ffected/impact=low,fuse-6/a |nterprise-2/activemq=affect |ctivemq=notaffected,fsw-6/a |ed/impact=low/cvss2=1.5/AV: |ctivemq=affected,openshift- |L/AC:M/Au:S/C:N/I:P/A:N,ope |enterprise-2/activemq=affec |nshift-1/activemq=affected/ |ted/impact=low/cvss2=1.5/AV |impact=low/cvss2=1.5/AV:L/A |:L/AC:M/Au:S/C:N/I:P/A:N,op |C:M/Au:S/C:N/I:P/A:N,fedora |enshift-1/activemq=affected |-all/activemq=notaffected |/impact=low/cvss2=1.5/AV:L/ | |AC:M/Au:S/C:N/I:P/A:N,fedor | |a-all/activemq=notaffected
https://bugzilla.redhat.com/show_bug.cgi?id=1317516
Pavel Polischouk pavelp@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0310,reported=20160310,sour |0310,reported=20160310,sour |ce=oss-security,cvss2=3.5/A |ce=oss-security,cvss2=3.5/A |V:N/AC:M/Au:S/C:P/I:N/A:N,c |V:N/AC:M/Au:S/C:P/I:N/A:N,c |vss3=4.2/CVSS:3.0/AV:N/AC:H |vss3=4.2/CVSS:3.0/AV:N/AC:H |/PR:H/UI:R/S:U/C:H/I:N/A:N, |/PR:H/UI:R/S:U/C:H/I:N/A:N, |cwe=CWE-79,amq-6/activemq=a |cwe=CWE-79,amq-6/activemq=a |ffected/impact=low,fuse-6/a |ffected/impact=low,fuse-6/a |ctivemq=notaffected,fsw-6/a |ctivemq=notaffected,fsw-6.0 |ctivemq=affected,openshift- |.0/activemq=wontfix,fsw-6.2 |enterprise-2/activemq=affec |.1/activemq=notaffected,ope |ted/impact=low/cvss2=1.5/AV |nshift-enterprise-2/activem |:L/AC:M/Au:S/C:N/I:P/A:N,op |q=affected/impact=low/cvss2 |enshift-1/activemq=affected |=1.5/AV:L/AC:M/Au:S/C:N/I:P |/impact=low/cvss2=1.5/AV:L/ |/A:N,openshift-1/activemq=a |AC:M/Au:S/C:N/I:P/A:N,fedor |ffected/impact=low/cvss2=1. |a-all/activemq=notaffected |5/AV:L/AC:M/Au:S/C:N/I:P/A: | |N,fedora-all/activemq=notaf | |fected
https://bugzilla.redhat.com/show_bug.cgi?id=1317516
--- Comment #6 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Via RHSA-2016:1424 https://access.redhat.com/errata/RHSA-2016:1424
java-sig-commits@lists.fedoraproject.org