You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "wang Jessie (Jira)" <ji...@apache.org> on 2020/06/03 06:51:00 UTC
[jira] [Commented] (AMQ-7491) ActiveMQ illegal occupation
vulnerability
[ https://issues.apache.org/jira/browse/AMQ-7491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17124654#comment-17124654 ]
wang Jessie commented on AMQ-7491:
----------------------------------
I have upload my script on GitHub. Here is the address [https://github.com/wqqqy/MPInspector/tree/master/Adapter/AMQP10/hack-amqp10_SameContainerId]
> ActiveMQ illegal occupation vulnerability
> -----------------------------------------
>
> Key: AMQ-7491
> URL: https://issues.apache.org/jira/browse/AMQ-7491
> Project: ActiveMQ
> Issue Type: Bug
> Components: AMQP, Broker
> Affects Versions: 5.15.12
> Environment: We build a script used JavaScript to interact with the broker in ActiveMQ 5.15.12.
> The experiment is performed on Windows10 1903 version.
> Reporter: wang Jessie
> Priority: Blocker
> Labels: security
> Attachments: 1590234052205.png
>
>
> *Description:* Two client with the same Container-Id are not allowed to connect to the broker. When we send *two OPEN packet with same the Container-Id*, the broker will return error and the client will close the TCP connection. The client with this Container-Id will *never be able to connect with the broker* unless the broker resets. This vulnerability can be exploited by the adversary to perform the aforementioned attacks on many Container-Id to make a huge set of clients unable to connect with the broker. As the ActiveMQ are widely adopted by the IoT vendors, this can be a vulnerability affected a wide range.
> Following are the details.
> We send *two OPEN packets with the same Container-Id 1* and we can learn from the log A in the attached picture in the broker side that the broker returned close packets and the client closed this TCP connection with the broker.
> Then we build a new client to connect with the broker using the same Container-Id 1, we can learn from the log B in the attached pictur that the broker returned errors as the broker believe the client with Container-Id 1 already connected.
> *Suggestion for repair:* May be the state of the broker after received two OPEN packets could be checked and the connection state of the client could be updated when the TCP connection is closed.
>
> :)I hope what I found can do some help and if you want further discussion, please email me by [wangqinying@zju.edu.cn|mailto:wangqinying@zju.edu.cn]. Thanks for spending your time on my issue.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)