https://bugzilla.redhat.com/show_bug.cgi?id=1317520
Bug ID: 1317520 Summary: CVE-2016-0734 activemq: Clickjacking in Web Console Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: abhgupta@redhat.com, agrimm@redhat.com, aileenc@redhat.com, ccoleman@redhat.com, chazlett@redhat.com, dmcphers@redhat.com, gvarsami@redhat.com, java-sig-commits@lists.fedoraproject.org, jcoleman@redhat.com, jialiu@redhat.com, joelsmith@redhat.com, jokerman@redhat.com, kconner@redhat.com, kseifried@redhat.com, ldimaggi@redhat.com, lmeyer@redhat.com, mmccomas@redhat.com, nwallace@redhat.com, pavelp@redhat.com, puntogil@libero.it, rwagner@redhat.com, soa-p-jira@post-office.corp.redhat.com, s@shk.io, tcunning@redhat.com, tdawson@redhat.com, tiwillia@redhat.com, tkirby@redhat.com
It was reported that the web based administration console does not set the X-Frame-Options header in HTTP responses. This allows the console to be embedded in a frame or iframe which could then be used to cause a user to perform an unintended action in the console.
Affected versions: Apache ActiveMQ 5.0.0 - 5.13.1
External Reference:
http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announceme...
https://bugzilla.redhat.com/show_bug.cgi?id=1317520
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1317521 Depends On| |1317522
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1317522 [Bug 1317522] CVE-2016-0734 CVE-2016-0782 activemq: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1317520
--- Comment #2 from Adam Mariš amaris@redhat.com ---
Created activemq tracking bugs for this issue:
Affects: fedora-all [bug 1317522]
https://bugzilla.redhat.com/show_bug.cgi?id=1317520 Bug 1317520 depends on bug 1317522, which changed state.
Bug 1317522 Summary: CVE-2016-0734 CVE-2016-0782 activemq: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1317522
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1317520
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1317528
https://bugzilla.redhat.com/show_bug.cgi?id=1317520
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0310,reported=20160310,sour |0310,reported=20160310,sour |ce=oss-security,cvss2=4.3/A |ce=oss-security,cvss2=4.3/A |V:N/AC:M/Au:N/C:N/I:P/A:N,a |V:N/AC:M/Au:N/C:N/I:P/A:N,a |mq-6/activemq=affected,fuse |mq-6/activemq=affected,fuse |-6/activemq=affected,fsw-6/ |-6/activemq=notaffected,fsw |activemq=affected,openshift |-6/activemq=affected,opensh |-enterprise-2/activemq=affe |ift-enterprise-2/activemq=a |cted,openshift-1/activemq=a |ffected,openshift-1/activem |ffected,fedora-all/activemq |q=affected,fedora-all/activ |=affected |emq=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1317520
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0310,reported=20160310,sour |0310,reported=20160310,sour |ce=oss-security,cvss2=4.3/A |ce=oss-security,cvss2=4.3/A |V:N/AC:M/Au:N/C:N/I:P/A:N,a |V:N/AC:M/Au:N/C:N/I:P/A:N,a |mq-6/activemq=affected,fuse |mq-6/activemq=affected,fuse |-6/activemq=notaffected,fsw |-6/activemq=notaffected,fsw |-6/activemq=affected,opensh |-6/activemq=notaffected,ope |ift-enterprise-2/activemq=a |nshift-enterprise-2/activem |ffected,openshift-1/activem |q=affected,openshift-1/acti |q=affected,fedora-all/activ |vemq=affected,fedora-all/ac |emq=affected |tivemq=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1317520
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0310,reported=20160310,sour |0310,reported=20160310,sour |ce=oss-security,cvss2=4.3/A |ce=oss-security,cvss2=4.3/A |V:N/AC:M/Au:N/C:N/I:P/A:N,a |V:N/AC:M/Au:N/C:N/I:P/A:N,a |mq-6/activemq=affected,fuse |mq-6/activemq=affected,fuse |-6/activemq=notaffected,fsw |-6/activemq=notaffected,fsw |-6/activemq=notaffected,ope |-6/activemq=notaffected,ope |nshift-enterprise-2/activem |nshift-enterprise-2/activem |q=affected,openshift-1/acti |q=affected,openshift-1/acti |vemq=affected,fedora-all/ac |vemq=notaffected,fedora-all |tivemq=affected |/activemq=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1317520
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0310,reported=20160310,sour |0310,reported=20160310,sour |ce=oss-security,cvss2=4.3/A |ce=oss-security,cvss2=4.3/A |V:N/AC:M/Au:N/C:N/I:P/A:N,a |V:N/AC:M/Au:N/C:N/I:P/A:N,a |mq-6/activemq=affected,fuse |mq-6/activemq=affected,fuse |-6/activemq=notaffected,fsw |-6/activemq=notaffected,fsw |-6/activemq=notaffected,ope |-6/activemq=notaffected,ope |nshift-enterprise-2/activem |nshift-enterprise-2/activem |q=affected,openshift-1/acti |q=affected,openshift-1/acti |vemq=notaffected,fedora-all |vemq=affected/cvss2=1.5/AV: |/activemq=affected |L/AC:M/Au:S/C:N/I:P/A:N,fed | |ora-all/activemq=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1317520
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0310,reported=20160310,sour |0310,reported=20160310,sour |ce=oss-security,cvss2=4.3/A |ce=oss-security,cvss2=4.3/A |V:N/AC:M/Au:N/C:N/I:P/A:N,a |V:N/AC:M/Au:N/C:N/I:P/A:N,a |mq-6/activemq=affected,fuse |mq-6/activemq=affected,fuse |-6/activemq=notaffected,fsw |-6/activemq=notaffected,fsw |-6/activemq=notaffected,ope |-6/activemq=notaffected,ope |nshift-enterprise-2/activem |nshift-enterprise-2/activem |q=affected,openshift-1/acti |q=affected,openshift-1/acti |vemq=affected/cvss2=1.5/AV: |vemq=affected/impact=low/cv |L/AC:M/Au:S/C:N/I:P/A:N,fed |ss2=1.5/AV:L/AC:M/Au:S/C:N/ |ora-all/activemq=affected |I:P/A:N,fedora-all/activemq | |=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1317520
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0310,reported=20160310,sour |0310,reported=20160310,sour |ce=oss-security,cvss2=4.3/A |ce=oss-security,cvss2=4.3/A |V:N/AC:M/Au:N/C:N/I:P/A:N,a |V:N/AC:M/Au:N/C:N/I:P/A:N,a |mq-6/activemq=affected,fuse |mq-6/activemq=affected,fuse |-6/activemq=notaffected,fsw |-6/activemq=notaffected,fsw |-6/activemq=notaffected,ope |-6/activemq=notaffected,ope |nshift-enterprise-2/activem |nshift-enterprise-2/activem |q=affected,openshift-1/acti |q=affected/impact=low/cvss2 |vemq=affected/impact=low/cv |=1.5/AV:L/AC:M/Au:S/C:N/I:P |ss2=1.5/AV:L/AC:M/Au:S/C:N/ |/A:N,openshift-1/activemq=a |I:P/A:N,fedora-all/activemq |ffected/impact=low/cvss2=1. |=affected |5/AV:L/AC:M/Au:S/C:N/I:P/A: | |N,fedora-all/activemq=affec | |ted
https://bugzilla.redhat.com/show_bug.cgi?id=1317520
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0310,reported=20160310,sour |0310,reported=20160310,sour |ce=oss-security,cvss2=4.3/A |ce=oss-security,cvss2=4.3/A |V:N/AC:M/Au:N/C:N/I:P/A:N,a |V:N/AC:M/Au:N/C:N/I:P/A:N,a |mq-6/activemq=affected,fuse |mq-6/activemq=affected/impa |-6/activemq=notaffected,fsw |ct=low/cvss2=3.5/AV:N/AC:M/ |-6/activemq=notaffected,ope |Au:S/C:N/I:P/A:N,fuse-6/act |nshift-enterprise-2/activem |ivemq=notaffected,fsw-6/act |q=affected/impact=low/cvss2 |ivemq=notaffected,openshift |=1.5/AV:L/AC:M/Au:S/C:N/I:P |-enterprise-2/activemq=affe |/A:N,openshift-1/activemq=a |cted/impact=low/cvss2=1.5/A |ffected/impact=low/cvss2=1. |V:L/AC:M/Au:S/C:N/I:P/A:N,o |5/AV:L/AC:M/Au:S/C:N/I:P/A: |penshift-1/activemq=affecte |N,fedora-all/activemq=affec |d/impact=low/cvss2=1.5/AV:L |ted |/AC:M/Au:S/C:N/I:P/A:N,fedo | |ra-all/activemq=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1317520
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0310,reported=20160310,sour |0310,reported=20160310,sour |ce=oss-security,cvss2=4.3/A |ce=oss-security,cvss2=4.3/A |V:N/AC:M/Au:N/C:N/I:P/A:N,a |V:N/AC:M/Au:N/C:N/I:P/A:N,a |mq-6/activemq=affected/impa |mq-6/activemq=affected/impa |ct=low/cvss2=3.5/AV:N/AC:M/ |ct=low/cvss2=3.5/AV:N/AC:M/ |Au:S/C:N/I:P/A:N,fuse-6/act |Au:S/C:N/I:P/A:N,fuse-6/act |ivemq=notaffected,fsw-6/act |ivemq=notaffected,fsw-6/act |ivemq=notaffected,openshift |ivemq=notaffected,openshift |-enterprise-2/activemq=affe |-enterprise-2/activemq=affe |cted/impact=low/cvss2=1.5/A |cted/impact=low/cvss2=1.5/A |V:L/AC:M/Au:S/C:N/I:P/A:N,o |V:L/AC:M/Au:S/C:N/I:P/A:N,o |penshift-1/activemq=affecte |penshift-1/activemq=affecte |d/impact=low/cvss2=1.5/AV:L |d/impact=low/cvss2=1.5/AV:L |/AC:M/Au:S/C:N/I:P/A:N,fedo |/AC:M/Au:S/C:N/I:P/A:N,fedo |ra-all/activemq=affected |ra-all/activemq=notaffected
https://bugzilla.redhat.com/show_bug.cgi?id=1317520
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |low CC| |jshepherd@redhat.com Severity|medium |low
https://bugzilla.redhat.com/show_bug.cgi?id=1317520
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|low |medium Severity|low |medium
https://bugzilla.redhat.com/show_bug.cgi?id=1317520
xiaohui Wu xiwu@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |xiwu@redhat.com
--- Comment #3 from xiaohui Wu xiwu@redhat.com --- https://issues.jboss.org/browse/ENTMQ-1586 was opened to track
https://bugzilla.redhat.com/show_bug.cgi?id=1317520
--- Doc Text *updated* by Chess Hazlett chazlett@redhat.com --- It was reported that the web based administration console does not set the X-Frame-Options header in HTTP responses. This allows the console to be embedded in a frame or iframe which could then be used to cause a user to perform an unintended action in the console.
https://bugzilla.redhat.com/show_bug.cgi?id=1317520
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0310,reported=20160310,sour |0310,reported=20160310,sour |ce=oss-security,cvss2=4.3/A |ce=oss-security,cvss2=4.3/A |V:N/AC:M/Au:N/C:N/I:P/A:N,a |V:N/AC:M/Au:N/C:N/I:P/A:N,c |mq-6/activemq=affected/impa |vss3=3.1/CVSS:3.0/AV:N/AC:H |ct=low/cvss2=3.5/AV:N/AC:M/ |/PR:N/UI:R/S:U/C:N/I:L/A:N, |Au:S/C:N/I:P/A:N,fuse-6/act |amq-6/activemq=affected/imp |ivemq=notaffected,fsw-6/act |act=low/cvss2=3.5/AV:N/AC:M |ivemq=notaffected,openshift |/Au:S/C:N/I:P/A:N,fuse-6/ac |-enterprise-2/activemq=affe |tivemq=notaffected,fsw-6/ac |cted/impact=low/cvss2=1.5/A |tivemq=notaffected,openshif |V:L/AC:M/Au:S/C:N/I:P/A:N,o |t-enterprise-2/activemq=aff |penshift-1/activemq=affecte |ected/impact=low/cvss2=1.5/ |d/impact=low/cvss2=1.5/AV:L |AV:L/AC:M/Au:S/C:N/I:P/A:N, |/AC:M/Au:S/C:N/I:P/A:N,fedo |openshift-1/activemq=affect |ra-all/activemq=notaffected |ed/impact=low/cvss2=1.5/AV: | |L/AC:M/Au:S/C:N/I:P/A:N,fed | |ora-all/activemq=notaffecte | |d
https://bugzilla.redhat.com/show_bug.cgi?id=1317520
--- Comment #4 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Via RHSA-2016:1424 https://access.redhat.com/errata/RHSA-2016:1424
java-sig-commits@lists.fedoraproject.org