You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@activemq.apache.org by cs...@apache.org on 2016/03/10 13:24:33 UTC

svn commit: r982387 - in /websites/production/activemq/content/security-advisories.data: CVE-2016-0734-announcement.txt CVE-2016-0782-announcement.txt

Author: cshannon
Date: Thu Mar 10 12:24:33 2016
New Revision: 982387

Log:
Adding CVE announcements

Added:
    websites/production/activemq/content/security-advisories.data/CVE-2016-0734-announcement.txt
    websites/production/activemq/content/security-advisories.data/CVE-2016-0782-announcement.txt

Added: websites/production/activemq/content/security-advisories.data/CVE-2016-0734-announcement.txt
==============================================================================
--- websites/production/activemq/content/security-advisories.data/CVE-2016-0734-announcement.txt (added)
+++ websites/production/activemq/content/security-advisories.data/CVE-2016-0734-announcement.txt Thu Mar 10 12:24:33 2016
@@ -0,0 +1,19 @@
+CVE-2016-0734: ActiveMQ Web Console - Clickjacking
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Apache ActiveMQ 5.0.0 - 5.13.1
+
+Description:
+The web based administration console does not set the X-Frame-Options header in HTTP responses. This allows the console to be embedded in a frame or iframe which could then be used to cause a user to perform an unintended action in the console.
+
+
+Mitigation:
+Upgrade to Apache ActiveMQ 5.13.2
+
+Credit:
+This issue was discovered by Michael Furman

Added: websites/production/activemq/content/security-advisories.data/CVE-2016-0782-announcement.txt
==============================================================================
--- websites/production/activemq/content/security-advisories.data/CVE-2016-0782-announcement.txt (added)
+++ websites/production/activemq/content/security-advisories.data/CVE-2016-0782-announcement.txt Thu Mar 10 12:24:33 2016
@@ -0,0 +1,19 @@
+CVE-2016-0782: ActiveMQ Web Console - Cross-Site Scripting
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Apache ActiveMQ 5.0.0 - 5.13.1
+
+Description:
+Several instances of cross-site scripting vulnerabilities were identified to be present in the web based administration console as well as the ability to trigger a Java memory dump into an arbitrary folder. The root cause of these issues are improper user data output validation and incorrect permissions configured on Jolokia.
+
+
+Mitigation:
+Upgrade to Apache ActiveMQ 5.11.4, 5.12.3, or 5.13.2
+
+Credit:
+This issue was discovered by Vladimir Ivanov (Positive Technologies)