You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Albert Baker (JIRA)" <ji...@apache.org> on 2018/06/15 14:36:11 UTC
[jira] [Updated] (AMQ-6988) ActiveMQ 5.15.4 contains
activemq-protobuf-1.1.jar which has three high severity CVEs against
it.Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and
running the OWASP report
[ https://issues.apache.org/jira/browse/AMQ-6988?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Albert Baker updated AMQ-6988:
------------------------------
Description:
ActiveMQ 5.15.4 contains activemq-protobuf-1.1.jar which has two high severity CVEs against it.
Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report
CVE-2015-5183 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 Security Features The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes on cookies.
CVE-2015-5184 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 Security Features The Hawtio console in A-MQ allows remote attackers to obtain sensitive information and perform other unspecified impact.
CVE-2016-3088 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
CONFIRM - http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
EXPLOIT-DB - 42283
MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-356
MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-357
REDHAT - RHSA-2016:2036
was:
ActiveMQ 5.15.4 contains activemq-protobuf-1.1.jar which has two high severity CVEs against it.
Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report
CVE-2015-5183 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 Security Features The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes on cookies.
CVE-2015-5184 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 Security Features The Hawtio console in A-MQ allows remote attackers to obtain sensitive information and perform other unspecified impact.
Component/s: (was: Broker)
webconsole
Summary: ActiveMQ 5.15.4 contains activemq-protobuf-1.1.jar which has three high severity CVEs against it.Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report (was: ActiveMQ 5.15.4 contains activemq-protobuf-1.1.jar which has two high severity CVEs against it.Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report)
> ActiveMQ 5.15.4 contains activemq-protobuf-1.1.jar which has three high severity CVEs against it.Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: AMQ-6988
> URL: https://issues.apache.org/jira/browse/AMQ-6988
> Project: ActiveMQ
> Issue Type: Bug
> Components: webconsole
> Affects Versions: 5.15.4
> Environment: Environment: Customer environment is a mix of Linux and Windows, Gig-LAN. Will not accept the risk of having even one high severity CVE in thier environment.
> Reporter: Albert Baker
> Priority: Blocker
>
> ActiveMQ 5.15.4 contains activemq-protobuf-1.1.jar which has two high severity CVEs against it.
> Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report
> CVE-2015-5183 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-254 Security Features The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes on cookies.
> CVE-2015-5184 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-254 Security Features The Hawtio console in A-MQ allows remote attackers to obtain sensitive information and perform other unspecified impact.
> CVE-2016-3088 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-20 Improper Input Validation
> The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
> CONFIRM - http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
> EXPLOIT-DB - 42283
> MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-356
> MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-357
> REDHAT - RHSA-2016:2036
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)