You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by iali <ia...@arcsolutions.com> on 2015/12/04 16:46:42 UTC
Java_December vulnerability
Hi Guys,
I just want to confirm if ActiveMQ is affected by Java_December
vulnerability as explained in http://www.kb.cert.org/vuls/id/576313
If so how can we patch our site to resolve this vulnerability and when will
a new release will be available with this fix.
Regards,
Imran
--
View this message in context: http://activemq.2283324.n4.nabble.com/Java-December-vulnerability-tp4704610.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Java_December vulnerability
Posted by Tim Bain <tb...@alumni.duke.edu>.
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
was a good (though repetitive) overview of the vulnerability, and of one
proposed fix (cracking open the commons-collections JAR and removing the
InvokerTransformer class).
On Dec 8, 2015 3:37 AM, "iali" <ia...@arcsolutions.com> wrote:
> Thanks jahlborn,
>
> I am currently investigating this further to confirm if ActiveMQ 5.13.0 has
> got this impact or will it fix the CVE.
>
> For your reference I am mainly looking at following CVE:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8103
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852
>
>
>
>
>
> --
> View this message in context:
> http://activemq.2283324.n4.nabble.com/Java-December-vulnerability-tp4704610p4704758.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
Re: Java_December vulnerability
Posted by iali <ia...@arcsolutions.com>.
Thanks jahlborn,
I am currently investigating this further to confirm if ActiveMQ 5.13.0 has
got this impact or will it fix the CVE.
For your reference I am mainly looking at following CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852
--
View this message in context: http://activemq.2283324.n4.nabble.com/Java-December-vulnerability-tp4704610p4704758.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Java_December vulnerability
Posted by jahlborn <ja...@gmail.com>.
This certainly seems related, although it predates the vulerability notice:
https://issues.apache.org/jira/browse/AMQ-6013
--
View this message in context: http://activemq.2283324.n4.nabble.com/Java-December-vulnerability-tp4704610p4704615.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Java_December vulnerability
Posted by Andrew Clemons <an...@gmail.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2015-12-10 10:37:15 -0500, christopher.l.shannon@gmail.com wrote:
> Also, this fix will be included in 5.12.2 as well when that is released.
Based on AMQ-6013 it looks like the fix has been included in 5.11.x,
5.12.x, and 5.13.x. Any chance we can also get this included in 5.10.x?
That is the last branch which supported JDK6. I just cherry-picked the
changes here locally to the branch activemq-5.10.x cleanly. Thoughts?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJW3r26AAoJEM0mOA/6y9orAXIQAK9CuLPKlFECVElAdP4QK46u
jELE7S0OhuNYKouah5w/C79A4l6DQ0xsEJIjCtKTZ5r4rzjioljkoHRAk40fMDjH
F4m0P5HSrYPJ4uEuL26e30a6wO0Y/HQ8PkR4qBmOFMJ8y8Mw4jTaoGUj9Po8pGsq
8Yr5RYYE+deGGN4aPIBMqBRqpwKHg7KoXowruMr0tqhqd21pyRRlsuULtszMlsZa
KYBaM2QvE9G8ZCfSJFsAIaATharjAzt8V5KBdBYf418FkB8OdH6iAhbbQCnOos/+
lAScZDOQx18lPYY/gdZ/7zNNLdF3waGkMMmRibAP7hRWAAQm3D9mBraqxpbX1N73
L3UGNwALQj9wnsVESHKSDg7xwu5SuFze5a0z4kgBjXAkbXka4COm8cfKx5ZFQVQt
slgzgsQ2j4UkEmz5k8GqbbWlSnwOu0MbkN104mkYZbqHBpvks/1tp305pC+6wa6r
Qc7T+n1jGirYMh0l33T90KVVWAwAqYACyY5frUggbJhCjWAmOQvnyNEGK5KBjTRJ
3luMGjDoe+MWWhf4O4mtAjeFHb8iPj9ZI7Vu8oIb5+FSAmDdn4Eq0f8qtscb1DeL
5tsqNhAOy1ol1/Q3a5cTu7q3HT0zXvETmzD/Db0rEdveMCRs3NjMIbN/+1io9iqj
DhLL4MJeLDfljDy5Pibk
=X+Jz
-----END PGP SIGNATURE-----
Re: Java_December vulnerability
Posted by Christopher Shannon <ch...@gmail.com>.
Also, this fix will be included in 5.12.2 as well when that is released.
On Wed, Dec 9, 2015 at 5:41 AM, Dejan Bosanac <de...@nighttale.net> wrote:
> Hi Tim, yes, it prevents untrusted classes deserializing inside the broker,
> including when you want to look at them in the web console.
>
> Regards
> --
> Dejan Bosanac
> about.me/dejanb
>
> On Tue, Dec 8, 2015 at 10:27 PM, Tim Bain <tb...@alumni.duke.edu> wrote:
>
> > The mitigation section simply says to upgrade to 5.13.0, which implies
> that
> > 5.13.0 fixes all categories of this problem, including webconsole. Is
> that
> > accurate?
> >
> > Tim
> > On Dec 8, 2015 10:09 AM, "Dejan Bosanac" <de...@nighttale.net> wrote:
> >
> > > Hi,
> > >
> > > this has just been announced with its own CVE-2015-5254. More info can
> be
> > > found at
> > >
> > >
> >
> http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt
> > >
> > > Regards
> > > --
> > > Dejan Bosanac
> > > about.me/dejanb
> > >
> > > On Tue, Dec 8, 2015 at 4:41 PM, iali <ia...@arcsolutions.com> wrote:
> > >
> > > > Thanks Tim,
> > > >
> > > > I did had a look at that site and it has got a comprehensive
> > explanation
> > > > against this vulnerability. Also I have been having a discussion
> under
> > > > AMQ-6013 <https://issues.apache.org/jira/browse/AMQ-6013> and it
> > seems
> > > > that we can use CVE-2015-4852 based on comment in
> > > >
> > > >
> > > >
> > >
> >
> https://issues.apache.org/jira/browse/AMQ-6013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15046732#comment-15046732
> > > >
> > > >
> > > >
> > > > --
> > > > View this message in context:
> > > >
> > >
> >
> http://activemq.2283324.n4.nabble.com/Java-December-vulnerability-tp4704610p4704781.html
> > > > Sent from the ActiveMQ - User mailing list archive at Nabble.com.
> > > >
> > >
> >
>
Re: Java_December vulnerability
Posted by Dejan Bosanac <de...@nighttale.net>.
Hi Tim, yes, it prevents untrusted classes deserializing inside the broker,
including when you want to look at them in the web console.
Regards
--
Dejan Bosanac
about.me/dejanb
On Tue, Dec 8, 2015 at 10:27 PM, Tim Bain <tb...@alumni.duke.edu> wrote:
> The mitigation section simply says to upgrade to 5.13.0, which implies that
> 5.13.0 fixes all categories of this problem, including webconsole. Is that
> accurate?
>
> Tim
> On Dec 8, 2015 10:09 AM, "Dejan Bosanac" <de...@nighttale.net> wrote:
>
> > Hi,
> >
> > this has just been announced with its own CVE-2015-5254. More info can be
> > found at
> >
> >
> http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt
> >
> > Regards
> > --
> > Dejan Bosanac
> > about.me/dejanb
> >
> > On Tue, Dec 8, 2015 at 4:41 PM, iali <ia...@arcsolutions.com> wrote:
> >
> > > Thanks Tim,
> > >
> > > I did had a look at that site and it has got a comprehensive
> explanation
> > > against this vulnerability. Also I have been having a discussion under
> > > AMQ-6013 <https://issues.apache.org/jira/browse/AMQ-6013> and it
> seems
> > > that we can use CVE-2015-4852 based on comment in
> > >
> > >
> > >
> >
> https://issues.apache.org/jira/browse/AMQ-6013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15046732#comment-15046732
> > >
> > >
> > >
> > > --
> > > View this message in context:
> > >
> >
> http://activemq.2283324.n4.nabble.com/Java-December-vulnerability-tp4704610p4704781.html
> > > Sent from the ActiveMQ - User mailing list archive at Nabble.com.
> > >
> >
>
Re: Java_December vulnerability
Posted by Tim Bain <tb...@alumni.duke.edu>.
The mitigation section simply says to upgrade to 5.13.0, which implies that
5.13.0 fixes all categories of this problem, including webconsole. Is that
accurate?
Tim
On Dec 8, 2015 10:09 AM, "Dejan Bosanac" <de...@nighttale.net> wrote:
> Hi,
>
> this has just been announced with its own CVE-2015-5254. More info can be
> found at
>
> http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt
>
> Regards
> --
> Dejan Bosanac
> about.me/dejanb
>
> On Tue, Dec 8, 2015 at 4:41 PM, iali <ia...@arcsolutions.com> wrote:
>
> > Thanks Tim,
> >
> > I did had a look at that site and it has got a comprehensive explanation
> > against this vulnerability. Also I have been having a discussion under
> > AMQ-6013 <https://issues.apache.org/jira/browse/AMQ-6013> and it seems
> > that we can use CVE-2015-4852 based on comment in
> >
> >
> >
> https://issues.apache.org/jira/browse/AMQ-6013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15046732#comment-15046732
> >
> >
> >
> > --
> > View this message in context:
> >
> http://activemq.2283324.n4.nabble.com/Java-December-vulnerability-tp4704610p4704781.html
> > Sent from the ActiveMQ - User mailing list archive at Nabble.com.
> >
>
Re: Java_December vulnerability
Posted by Dejan Bosanac <de...@nighttale.net>.
Hi,
this has just been announced with its own CVE-2015-5254. More info can be
found at
http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt
Regards
--
Dejan Bosanac
about.me/dejanb
On Tue, Dec 8, 2015 at 4:41 PM, iali <ia...@arcsolutions.com> wrote:
> Thanks Tim,
>
> I did had a look at that site and it has got a comprehensive explanation
> against this vulnerability. Also I have been having a discussion under
> AMQ-6013 <https://issues.apache.org/jira/browse/AMQ-6013> and it seems
> that we can use CVE-2015-4852 based on comment in
>
>
> https://issues.apache.org/jira/browse/AMQ-6013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15046732#comment-15046732
>
>
>
> --
> View this message in context:
> http://activemq.2283324.n4.nabble.com/Java-December-vulnerability-tp4704610p4704781.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
Re: Java_December vulnerability
Posted by iali <ia...@arcsolutions.com>.
Thanks Tim,
I did had a look at that site and it has got a comprehensive explanation
against this vulnerability. Also I have been having a discussion under
AMQ-6013 <https://issues.apache.org/jira/browse/AMQ-6013> and it seems
that we can use CVE-2015-4852 based on comment in
https://issues.apache.org/jira/browse/AMQ-6013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15046732#comment-15046732
--
View this message in context: http://activemq.2283324.n4.nabble.com/Java-December-vulnerability-tp4704610p4704781.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Java_December vulnerability
Posted by artnaseef <ar...@artnaseef.com>.
It is hard to determine based on that message and
https://issues.apache.org/jira/browse/COLLECTIONS-580. Based on my
searching so far, it looks like that feature of collections is not used in
ActiveMQ.
Specifically, I searched on InvokerTransformer and did not find any
occurrence in the code.
It would help to have specific details of how commons collection is
vulnerable. ActiveMQ does use commons collection.
Note that I do know for sure that the openwire implementation uses its own
serialization methods, so it's highly unlikely that the openwire protocol is
suceptible.
--
View this message in context: http://activemq.2283324.n4.nabble.com/Java-December-vulnerability-tp4704610p4704618.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.