You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@activemq.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2020/02/25 14:40:24 UTC

CVE-2015-5183

Hi all,

A few months ago I raised the issue of a number of CVEs reported against
AMQ which have no "fix for" version. I have some time again to look into
this, and so I'd like to take them one by one.

https://nvd.nist.gov/vuln/detail/CVE-2015-5183

"The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes on
cookies."

The original JIRA (https://bugzilla.redhat.com/show_bug.cgi?id=1249182)
refers to the Hawt IO Console, and not anything in ActiveMQ. Although note
that we didn't set HTTPOnly for the AMQ Web Console until the 5.15.11
release (https://issues.apache.org/jira/browse/AMQ-7322).

As this CVE does not concern ActiveMQ at all, I would like to mail NIST and
request that they change the CPE score to stop referencing ActiveMQ, and
also update the description not to refer to ActiveMQ.

It would be great if someone from the PMC could give me a +1 to this plan,
and I will be able to link to this thread when contacting NIST.

Colm.

Re: CVE-2015-5183

Posted by Colm O hEigeartaigh <co...@apache.org>.

Hi all,

An update on this long-running task. RedHat have updated the descriptions
for the following two CVEs to make it clearer that they affect RedHat AMQ
and not Apache, and then NIST changed the CPE scores to remove Apache
ActiveMQ:

https://nvd.nist.gov/vuln/detail/CVE-2015-5183
https://nvd.nist.gov/vuln/detail/CVE-2015-5184

So for these two CVEs, vulnerability scanners are no longer flagging Apache
ActiveMQ as vulnerable. The remaining task is

https://nvd.nist.gov/vuln/detail/CVE-2015-5182

I am waiting on clarification from RedHat here, as the upstream bug is
marked as "WONTFIX".

Colm.

On Wed, Feb 26, 2020 at 1:15 PM Mark J Cox <mj...@apache.org> wrote:

> Yes, they can update the master CVE (Mitre) description which appears
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5183 which NVD are
> downstream from.
>
> Mark
>
> On Wed, Feb 26, 2020 at 1:12 PM Colm O hEigeartaigh <co...@apache.org>
> wrote:
>
> > Hi Mark,
> >
> > OK I will do thanks. Just for clarity, when you say they can update the
> > entry without Mitre - are you referring to the description
> > https://nvd.nist.gov/vuln/detail/CVE-2015-5183 or just in
> > https://bugzilla.redhat.com/show_bug.cgi?id=1249182 ?
> >
> > Colm.
> >
> > On Wed, Feb 26, 2020 at 12:54 PM Mark J Cox <mj...@apache.org> wrote:
> >
> >> Hi Colm; as the assigning CNA was Red Hat I'd suggest reaching out to
> >> them via secalert@redhat.com and ask them to update the entry (they
> have
> >> the ability to do this themselves and very quickly and easily without
> >> having to involve Mitre at all).  Once that is done which should take
> only
> >> a day or two you can ask NIST to update the CPE list based on that
> change.
> >>
> >> Cheers, Mark
> >>
> >> On Tue, Feb 25, 2020 at 2:40 PM Colm O hEigeartaigh <
> coheigea@apache.org>
> >> wrote:
> >>
> >>> Hi all,
> >>>
> >>> A few months ago I raised the issue of a number of CVEs reported
> against
> >>> AMQ which have no "fix for" version. I have some time again to look
> into
> >>> this, and so I'd like to take them one by one.
> >>>
> >>> https://nvd.nist.gov/vuln/detail/CVE-2015-5183
> >>>
> >>> "The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes
> >>> on cookies."
> >>>
> >>> The original JIRA (https://bugzilla.redhat.com/show_bug.cgi?id=1249182
> )
> >>> refers to the Hawt IO Console, and not anything in ActiveMQ. Although
> note
> >>> that we didn't set HTTPOnly for the AMQ Web Console until the 5.15.11
> >>> release (https://issues.apache.org/jira/browse/AMQ-7322).
> >>>
> >>> As this CVE does not concern ActiveMQ at all, I would like to mail NIST
> >>> and request that they change the CPE score to stop referencing
> ActiveMQ,
> >>> and also update the description not to refer to ActiveMQ.
> >>>
> >>> It would be great if someone from the PMC could give me a +1 to this
> >>> plan, and I will be able to link to this thread when contacting NIST.
> >>>
> >>> Colm.
> >>>
> >>
>

Re: CVE-2015-5183

Posted by Mark J Cox <mj...@apache.org>.

Yes, they can update the master CVE (Mitre) description which appears
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5183 which NVD are
downstream from.

Mark

On Wed, Feb 26, 2020 at 1:12 PM Colm O hEigeartaigh <co...@apache.org>
wrote:

> Hi Mark,
>
> OK I will do thanks. Just for clarity, when you say they can update the
> entry without Mitre - are you referring to the description
> https://nvd.nist.gov/vuln/detail/CVE-2015-5183 or just in
> https://bugzilla.redhat.com/show_bug.cgi?id=1249182 ?
>
> Colm.
>
> On Wed, Feb 26, 2020 at 12:54 PM Mark J Cox <mj...@apache.org> wrote:
>
>> Hi Colm; as the assigning CNA was Red Hat I'd suggest reaching out to
>> them via secalert@redhat.com and ask them to update the entry (they have
>> the ability to do this themselves and very quickly and easily without
>> having to involve Mitre at all).  Once that is done which should take only
>> a day or two you can ask NIST to update the CPE list based on that change.
>>
>> Cheers, Mark
>>
>> On Tue, Feb 25, 2020 at 2:40 PM Colm O hEigeartaigh <co...@apache.org>
>> wrote:
>>
>>> Hi all,
>>>
>>> A few months ago I raised the issue of a number of CVEs reported against
>>> AMQ which have no "fix for" version. I have some time again to look into
>>> this, and so I'd like to take them one by one.
>>>
>>> https://nvd.nist.gov/vuln/detail/CVE-2015-5183
>>>
>>> "The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes
>>> on cookies."
>>>
>>> The original JIRA (https://bugzilla.redhat.com/show_bug.cgi?id=1249182)
>>> refers to the Hawt IO Console, and not anything in ActiveMQ. Although note
>>> that we didn't set HTTPOnly for the AMQ Web Console until the 5.15.11
>>> release (https://issues.apache.org/jira/browse/AMQ-7322).
>>>
>>> As this CVE does not concern ActiveMQ at all, I would like to mail NIST
>>> and request that they change the CPE score to stop referencing ActiveMQ,
>>> and also update the description not to refer to ActiveMQ.
>>>
>>> It would be great if someone from the PMC could give me a +1 to this
>>> plan, and I will be able to link to this thread when contacting NIST.
>>>
>>> Colm.
>>>
>>

Re: CVE-2015-5183

Posted by Colm O hEigeartaigh <co...@apache.org>.

Hi Mark,

OK I will do thanks. Just for clarity, when you say they can update the
entry without Mitre - are you referring to the description
https://nvd.nist.gov/vuln/detail/CVE-2015-5183 or just in
https://bugzilla.redhat.com/show_bug.cgi?id=1249182 ?

Colm.

On Wed, Feb 26, 2020 at 12:54 PM Mark J Cox <mj...@apache.org> wrote:

> Hi Colm; as the assigning CNA was Red Hat I'd suggest reaching out to them
> via secalert@redhat.com and ask them to update the entry (they have the
> ability to do this themselves and very quickly and easily without having to
> involve Mitre at all).  Once that is done which should take only a day or
> two you can ask NIST to update the CPE list based on that change.
>
> Cheers, Mark
>
> On Tue, Feb 25, 2020 at 2:40 PM Colm O hEigeartaigh <co...@apache.org>
> wrote:
>
>> Hi all,
>>
>> A few months ago I raised the issue of a number of CVEs reported against
>> AMQ which have no "fix for" version. I have some time again to look into
>> this, and so I'd like to take them one by one.
>>
>> https://nvd.nist.gov/vuln/detail/CVE-2015-5183
>>
>> "The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes on
>> cookies."
>>
>> The original JIRA (https://bugzilla.redhat.com/show_bug.cgi?id=1249182)
>> refers to the Hawt IO Console, and not anything in ActiveMQ. Although note
>> that we didn't set HTTPOnly for the AMQ Web Console until the 5.15.11
>> release (https://issues.apache.org/jira/browse/AMQ-7322).
>>
>> As this CVE does not concern ActiveMQ at all, I would like to mail NIST
>> and request that they change the CPE score to stop referencing ActiveMQ,
>> and also update the description not to refer to ActiveMQ.
>>
>> It would be great if someone from the PMC could give me a +1 to this
>> plan, and I will be able to link to this thread when contacting NIST.
>>
>> Colm.
>>
>

Re: CVE-2015-5183

Posted by Mark J Cox <mj...@apache.org>.

Hi Colm; as the assigning CNA was Red Hat I'd suggest reaching out to them
via secalert@redhat.com and ask them to update the entry (they have the
ability to do this themselves and very quickly and easily without having to
involve Mitre at all).  Once that is done which should take only a day or
two you can ask NIST to update the CPE list based on that change.

Cheers, Mark

On Tue, Feb 25, 2020 at 2:40 PM Colm O hEigeartaigh <co...@apache.org>
wrote:

> Hi all,
>
> A few months ago I raised the issue of a number of CVEs reported against
> AMQ which have no "fix for" version. I have some time again to look into
> this, and so I'd like to take them one by one.
>
> https://nvd.nist.gov/vuln/detail/CVE-2015-5183
>
> "The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes on
> cookies."
>
> The original JIRA (https://bugzilla.redhat.com/show_bug.cgi?id=1249182)
> refers to the Hawt IO Console, and not anything in ActiveMQ. Although note
> that we didn't set HTTPOnly for the AMQ Web Console until the 5.15.11
> release (https://issues.apache.org/jira/browse/AMQ-7322).
>
> As this CVE does not concern ActiveMQ at all, I would like to mail NIST
> and request that they change the CPE score to stop referencing ActiveMQ,
> and also update the description not to refer to ActiveMQ.
>
> It would be great if someone from the PMC could give me a +1 to this plan,
> and I will be able to link to this thread when contacting NIST.
>
> Colm.
>