You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2015/06/22 20:59:00 UTC

[jira] [Commented] (AMQ-5745) Code analysis revealed multiple vulnerable sections of code

    [ https://issues.apache.org/jira/browse/AMQ-5745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14596445#comment-14596445 ] 

ASF GitHub Bot commented on AMQ-5745:
-------------------------------------

GitHub user cshannon opened a pull request:

    https://github.com/apache/activemq/pull/118

    https://issues.apache.org/jira/browse/AMQ-5745

    This commit is based off a patch submitted by admin@int3solutions.com.
    It fixes several locations in the code where there are potential resource leaks.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/cshannon/activemq AMQ-5745

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/activemq/pull/118.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #118
    
----
commit b6039184e91d82d0b7cd61dc15ca38f007931e10
Author: Christopher L. Shannon (cshannon) <ch...@gmail.com>
Date:   2015-06-22T18:34:37Z

    https://issues.apache.org/jira/browse/AMQ-5745
    
    This commit is based off a patch submitted by admin@int3solutions.com.
    It fixes several locations in the code where there are potential resource leaks.

----


> Code analysis revealed multiple vulnerable sections of code
> -----------------------------------------------------------
>
>                 Key: AMQ-5745
>                 URL: https://issues.apache.org/jira/browse/AMQ-5745
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.9.0
>            Reporter: Int3
>         Attachments: activemq.patch
>
>
> Code analysis revealed multiple vulnerable sections of code in ActiveMQ 5.9.0.  A patch file is attached that address the issues below.
> activemq-web/src/main/resources/org/apache/activemq/web/prototype.js:700,706
> 	This code uses the  "eval()" function to evaluate JSON code -- this method is deprecated and dangerous and has been replaced by the JSON.parse() method, which is supported in all modern browsers -- considering that less than 2% of modern computers are still using legacy browsers, we believe the code should be upgraded to use the more secure method
> activemq-broker/src/main/java/org/apache/activemq/broker/BrokerService.java:248
> activemq-broker/src/main/java/org/apache/activemq/broker/PropertiesBrokerFactory.java:59
> activemq-broker/src/main/java/org/apache/activemq/util/IOHelper.java:257,259
> activemq-client/src/main/java/org/apache/activemq/ActiveMQSslConnectionFactory.java:130,162
> activemq-client/src/main/java/org/apache/activemq/blob/DefaultBlobUploadStrategy.java:43,58
> activemq-client/src/main/java/org/apache/activemq/blob/FTPBlobUploadStrategy.java:41
> activemq-client/src/main/java/org/apache/activemq/blob/FileSystemBlobStrategy.java:68,77
> activemq-console/src/main/java/org/apache/activemq/console/command/CreateCommand.java:194,218,219
> activemq-fileserver/src/main/java/org/apache/activemq/util/IOHelper.java:102,104
> activemq-jaas/src/main/java/org/apache/activemq/jaas/TextFileCertificateLoginModule.java:92,127
> activemq-jdbc-store/src/main/java/org/apache/activemq/store/jdbc/adapter/BlobJDBCAdapter.java:142
> activemq-jdbc-store/src/main/java/org/apache/activemq/store/jdbc/adapter/StreamJDBCAdapter.java:51
> activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/page/PageFile.java:198
> activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/util/DiskBenchmark.java:214,246,270
> activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/ProtocolConverter.java:68
> activemq-tooling/activemq-perf-maven-plugin/src/main/java/org/apache/activemq/tool/AbstractJmsClientSystem.java:266
> activemq-web/src/main/java/org/apache/activemq/web/AjaxServlet.java:67
> activemq-tooling/activemq-perf-maven-plugin/src/main/java/org/apache/activemq/tool/JmsProducerClient.java:356
> activemq-tooling/activemq-perf-maven-plugin/src/main/java/org/apache/activemq/tool/reports/XmlFilePerfReportWriter.java:198
> 	Resource leaks are possible at these code locations (the patched code releases the resources within a finally() statement)
> activemq-broker/src/main/java/org/apache/activemq/broker/jmx/DestinationView.java:330
> activemq-client/src/main/java/org/apache/activemq/ActiveMQConnectionFactory.java:283,290
> activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/journal/CallerBufferingDataFileAppender.java:182
> activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/journal/DataFileAppender.java:391
> activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/journal/Journal.java:568
> 	NULL dereferences are possible at these code locations
> activemq-broker/src/main/java/org/apache/activemq/transport/vm/VMTransport.java:269
> 	Double-locking of this form is vulnerable to race conditions
> activemq-http/src/main/java/org/apache/activemq/transport/http/HttpTunnelServlet.java:196,236
> activemq-web/src/main/java/org/apache/activemq/web/MessageServlet.java:278,284
> 	XSS reflection is possible at these code locations (an XSS filter should be added)
> activemq-fileserver/src/main/java/org/apache/activemq/util/RestFilter.java:72
> 	Path manipulation is possible via ".." directory traversal
> activemq-client/src/main/java/org/apache/activemq/thread/PooledTaskRunner.java:141
> 	A return statement inside a finally block will cause any exception that might be thrown in the try or catch block to be discarded.
> activemq-log4j-appender/src/main/java/org/apache/activemq/util/JmsLogAppender.java:68
> 	Recording passwords to a logfile in plaintext is inadvisable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)