You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Timothy Bish (JIRA)" <ji...@apache.org> on 2015/06/30 21:05:05 UTC

[jira] [Resolved] (AMQ-5745) Code analysis revealed multiple vulnerable sections of code

     [ https://issues.apache.org/jira/browse/AMQ-5745?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Timothy Bish resolved AMQ-5745.
-------------------------------
       Resolution: Fixed
    Fix Version/s: 5.12.0

Applied PR containing a subset of the changes identified in the patch, others appear to be non-issues or already resolved.  I'd recommend testing the code from master with your tooling to see if any other issues show up that seems like real problems.  New issues can be opened with targeted patches for different areas of concern.  

> Code analysis revealed multiple vulnerable sections of code
> -----------------------------------------------------------
>
>                 Key: AMQ-5745
>                 URL: https://issues.apache.org/jira/browse/AMQ-5745
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.9.0
>            Reporter: Int3
>             Fix For: 5.12.0
>
>         Attachments: activemq.patch
>
>
> Code analysis revealed multiple vulnerable sections of code in ActiveMQ 5.9.0.  A patch file is attached that address the issues below.
> activemq-web/src/main/resources/org/apache/activemq/web/prototype.js:700,706
> 	This code uses the  "eval()" function to evaluate JSON code -- this method is deprecated and dangerous and has been replaced by the JSON.parse() method, which is supported in all modern browsers -- considering that less than 2% of modern computers are still using legacy browsers, we believe the code should be upgraded to use the more secure method
> activemq-broker/src/main/java/org/apache/activemq/broker/BrokerService.java:248
> activemq-broker/src/main/java/org/apache/activemq/broker/PropertiesBrokerFactory.java:59
> activemq-broker/src/main/java/org/apache/activemq/util/IOHelper.java:257,259
> activemq-client/src/main/java/org/apache/activemq/ActiveMQSslConnectionFactory.java:130,162
> activemq-client/src/main/java/org/apache/activemq/blob/DefaultBlobUploadStrategy.java:43,58
> activemq-client/src/main/java/org/apache/activemq/blob/FTPBlobUploadStrategy.java:41
> activemq-client/src/main/java/org/apache/activemq/blob/FileSystemBlobStrategy.java:68,77
> activemq-console/src/main/java/org/apache/activemq/console/command/CreateCommand.java:194,218,219
> activemq-fileserver/src/main/java/org/apache/activemq/util/IOHelper.java:102,104
> activemq-jaas/src/main/java/org/apache/activemq/jaas/TextFileCertificateLoginModule.java:92,127
> activemq-jdbc-store/src/main/java/org/apache/activemq/store/jdbc/adapter/BlobJDBCAdapter.java:142
> activemq-jdbc-store/src/main/java/org/apache/activemq/store/jdbc/adapter/StreamJDBCAdapter.java:51
> activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/page/PageFile.java:198
> activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/util/DiskBenchmark.java:214,246,270
> activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/ProtocolConverter.java:68
> activemq-tooling/activemq-perf-maven-plugin/src/main/java/org/apache/activemq/tool/AbstractJmsClientSystem.java:266
> activemq-web/src/main/java/org/apache/activemq/web/AjaxServlet.java:67
> activemq-tooling/activemq-perf-maven-plugin/src/main/java/org/apache/activemq/tool/JmsProducerClient.java:356
> activemq-tooling/activemq-perf-maven-plugin/src/main/java/org/apache/activemq/tool/reports/XmlFilePerfReportWriter.java:198
> 	Resource leaks are possible at these code locations (the patched code releases the resources within a finally() statement)
> activemq-broker/src/main/java/org/apache/activemq/broker/jmx/DestinationView.java:330
> activemq-client/src/main/java/org/apache/activemq/ActiveMQConnectionFactory.java:283,290
> activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/journal/CallerBufferingDataFileAppender.java:182
> activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/journal/DataFileAppender.java:391
> activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/journal/Journal.java:568
> 	NULL dereferences are possible at these code locations
> activemq-broker/src/main/java/org/apache/activemq/transport/vm/VMTransport.java:269
> 	Double-locking of this form is vulnerable to race conditions
> activemq-http/src/main/java/org/apache/activemq/transport/http/HttpTunnelServlet.java:196,236
> activemq-web/src/main/java/org/apache/activemq/web/MessageServlet.java:278,284
> 	XSS reflection is possible at these code locations (an XSS filter should be added)
> activemq-fileserver/src/main/java/org/apache/activemq/util/RestFilter.java:72
> 	Path manipulation is possible via ".." directory traversal
> activemq-client/src/main/java/org/apache/activemq/thread/PooledTaskRunner.java:141
> 	A return statement inside a finally block will cause any exception that might be thrown in the try or catch block to be discarded.
> activemq-log4j-appender/src/main/java/org/apache/activemq/util/JmsLogAppender.java:68
> 	Recording passwords to a logfile in plaintext is inadvisable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)