You are viewing a plain text version of this content. The canonical link for it is here.
Posted to gitbox@activemq.apache.org by GitBox <gi...@apache.org> on 2021/11/23 22:02:25 UTC

[GitHub] [activemq] ViliusS opened a new pull request #727: [Security] Fix user permissions in web console

ViliusS opened a new pull request #727:
URL: https://github.com/apache/activemq/pull/727


   It unbelievable, but standard users had administrative permissions for the last 8 years since [this commit](https://github.com/apache/activemq/commit/75c659f122bc60a4e21da1f3bf3eadd227c49cbe#diff-71f952bc2da8f034245e7a495529308f986cce1d07143b5b961f93b03a860630R40) left a glaring security hole in a web console's configuration.
   
   This patch plugs that hole.
   
   Please apply it ASAP since default ActiveMQ configuration is used by hundreds of Docker images including [official GCP image](https://github.com/GoogleCloudPlatform/click-to-deploy/blob/d380caae20fa460182b7764c0e0d463a7f5917cb/docker/activemq/5/debian9/5.16/Dockerfile#L8) and ActiveMQ Kubernetes application on Google Marketplace which has [a simple configuration switch](https://github.com/GoogleCloudPlatform/click-to-deploy/blob/d380caae20fa460182b7764c0e0d463a7f5917cb/docker/activemq/5/debian9/5.16/docker-entrypoint.sh#L30) to allow exposure of ActiveMQ instance to the internet. Most of the system administrators are completely unaware that _user_/_user_ credentials exist, and even if they are, they have no idea that this user has administrative access. 
   
   P.S. I have tested only /admin part, since I don't have /api configured. Somebody needs to test /api side. Probably it is better to move /api/* into adminSecurityConstraint altogether?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@activemq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq] jbonofre commented on pull request #727: [Security] Fix user permissions in web console

Posted by GitBox <gi...@apache.org>.
jbonofre commented on pull request #727:
URL: https://github.com/apache/activemq/pull/727#issuecomment-1016639216


   FYI, I'm testing it right now, I will deal with the merge and update. Sorry about the delay.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@activemq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq] mattrpav commented on pull request #727: [Security] Fix user permissions in web console

Posted by GitBox <gi...@apache.org>.
mattrpav commented on pull request #727:
URL: https://github.com/apache/activemq/pull/727#issuecomment-978203642


   @ViliusS I've tagged the JIRA for inclusion in 5.16.4 which is in-progress. I agree the security risk may be serious to certain users. The issue is minor, given there is a known fix and the fix is in a config file, not code.
   
   I advise all users to adjust their conf/jetty.xml if web console access is exposed for non-admin users, or disallow non-admin access to the web console.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@activemq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq] jbonofre merged pull request #727: [Security] Fix user permissions in web console

Posted by GitBox <gi...@apache.org>.
jbonofre merged pull request #727:
URL: https://github.com/apache/activemq/pull/727


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@activemq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq] ViliusS commented on pull request #727: [Security] Fix user permissions in web console

Posted by GitBox <gi...@apache.org>.
ViliusS commented on pull request #727:
URL: https://github.com/apache/activemq/pull/727#issuecomment-977253379


   Thank you for your reply.
   
   Your comment about the configuration control by Google is correct, however if they change the default password in their image it still doesn't solve issue regarding "user" role having administrative rights. Currently there is no way for others to know the risks of having "user" account enabled besides looking at ActiveMQ code.
   
   I'm not sure what is the status of your mentioned patch but I still expect this issue fixed ASAP. Even if it breaks access to API it is a less evil than having a security hole.
   
   IMHO, having https://issues.apache.org/jira/browse/AMQ-5388 open for so long is unacceptable and is a horror story waiting to happen. We were almost ready to deploying ActiveMQ in our SaaS application for thousands of clients and I only accidently stumbled on this vulnerability.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@activemq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq] jbonofre commented on a change in pull request #727: [Security] Fix user permissions in web console

Posted by GitBox <gi...@apache.org>.
jbonofre commented on a change in pull request #727:
URL: https://github.com/apache/activemq/pull/727#discussion_r787932652



##########
File path: assembly/src/release/conf/jetty.xml
##########
@@ -43,7 +43,7 @@
     </bean>
     <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
         <property name="constraint" ref="securityConstraint" />
-        <property name="pathSpec" value="/*,/api/*,/admin/*,*.jsp" />
+        <property name="pathSpec" value="/,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico" />

Review comment:
       pathSpec should be:
   ```
   <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
       <property name="constraint" ref="securityConstraint" />
       <property name="pathSpec" value="/api/*,*.jsp,*.html,*.png,*.css,/admin/js/*" />
   </bean>
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@activemq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq] mattrpav edited a comment on pull request #727: [Security] Fix user permissions in web console

Posted by GitBox <gi...@apache.org>.
mattrpav edited a comment on pull request #727:
URL: https://github.com/apache/activemq/pull/727#issuecomment-978203642


   @ViliusS I've tagged the JIRA [AMQ-5388](https://issues.apache.org/jira/browse/AMQ-5388) for inclusion in 5.16.4 which is in-progress. I agree the security risk may be serious to certain users. The issue is minor, given there is a known fix and the fix is in a config file, not code.
   
   I advise all users to adjust their conf/jetty.xml if web console access is exposed for non-admin users, or disallow non-admin access to the web console.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@activemq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq] mattrpav commented on pull request #727: [Security] Fix user permissions in web console

Posted by GitBox <gi...@apache.org>.
mattrpav commented on pull request #727:
URL: https://github.com/apache/activemq/pull/727#issuecomment-977233061


   @ViliusS Thank you for the note. I'm working on another patch to separate access to web console and API by designating a separate role instead of 'admin' or all users. I'll look into adding this additional content filter as part of that.
   
   Please note-- opening a ticket with Google is prudent. We do not have control over other organization's containers, deployments and security setup.
   
   Thanks,
   Matt Pavlovich
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@activemq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq] jbonofre commented on a change in pull request #727: [Security] Fix user permissions in web console

Posted by GitBox <gi...@apache.org>.
jbonofre commented on a change in pull request #727:
URL: https://github.com/apache/activemq/pull/727#discussion_r787931944



##########
File path: assembly/src/release/conf/jetty.xml
##########
@@ -43,7 +43,7 @@
     </bean>
     <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
         <property name="constraint" ref="securityConstraint" />
-        <property name="pathSpec" value="/*,/api/*,/admin/*,*.jsp" />
+        <property name="pathSpec" value="/,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico" />

Review comment:
       api is missing here.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@activemq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq] jbonofre commented on a change in pull request #727: [Security] Fix user permissions in web console

Posted by GitBox <gi...@apache.org>.
jbonofre commented on a change in pull request #727:
URL: https://github.com/apache/activemq/pull/727#discussion_r787945290



##########
File path: assembly/src/release/conf/jetty.xml
##########
@@ -43,7 +43,7 @@
     </bean>
     <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
         <property name="constraint" ref="securityConstraint" />
-        <property name="pathSpec" value="/*,/api/*,/admin/*,*.jsp" />
+        <property name="pathSpec" value="/,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico" />

Review comment:
       Nevermind, ` /` is enough ;)




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@activemq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org