You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by bu...@apache.org on 2016/05/23 17:22:13 UTC
svn commit: r988958 - in /websites/production/activemq/content:
cache/main.pageCache security-advisories.data/CVE-2016-3088-announcement.txt
security-advisories.html
Author: buildbot
Date: Mon May 23 17:22:13 2016
New Revision: 988958
Log:
Production update by buildbot for activemq
Added:
websites/production/activemq/content/security-advisories.data/CVE-2016-3088-announcement.txt
Modified:
websites/production/activemq/content/cache/main.pageCache
websites/production/activemq/content/security-advisories.html
Modified: websites/production/activemq/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Added: websites/production/activemq/content/security-advisories.data/CVE-2016-3088-announcement.txt
==============================================================================
--- websites/production/activemq/content/security-advisories.data/CVE-2016-3088-announcement.txt (added)
+++ websites/production/activemq/content/security-advisories.data/CVE-2016-3088-announcement.txt Mon May 23 17:22:13 2016
@@ -0,0 +1,26 @@
+CVE-2016-3088 - ActiveMQ Fileserver web application vulnerabilities
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Apache ActiveMQ 5.0.0 - 5.13.2
+
+Description:
+
+Multiple vulnerabilities have been identified in the Apache ActiveMQ Fileserver web application. These are similar to those reported in CVE-2015-1830 and can allow attackers to replace web application files with malicious code and perform remote code execution on the system.
+
+Mitigation:
+
+Fileserver feature will be completely removed starting with 5.14.0 release. Users are advised to use other FTP and HTTP based file servers for transferring blob messages. Fileserver web application SHOULD NOT be used in older version of the broker and it should be disabled (it has been disabled by default since 5.12.0). This can be done by removing (commenting out) the following lines from conf\jetty.xml file
+
+<bean class="org.eclipse.jetty.webapp.WebAppContext">
+ <property name="contextPath" value="/fileserver" />
+ <property name="resourceBase" value="${activemq.home}/webapps/fileserver" />
+ <property name="logUrlOnStart" value="true" />
+ <property name="parentLoaderPriority" value="true" />
+</bean>
+
+Credit:
+This issue was discovered by separated reports of Simon Zuckerbraun and Andrea Micalizzi (rgod) of Trend Micro Zero Day Initiative
\ No newline at end of file
Modified: websites/production/activemq/content/security-advisories.html
==============================================================================
--- websites/production/activemq/content/security-advisories.html (original)
+++ websites/production/activemq/content/security-advisories.html Mon May 23 17:22:13 2016
@@ -72,7 +72,7 @@
<tbody>
<tr>
<td valign="top" width="100%">
-<div class="wiki-content maincontent"><h2 id="SecurityAdvisories-ApacheActiveMQ">Apache ActiveMQ</h2><h3 id="SecurityAdvisories-2016">2016</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2016-0734-announcement.txt?version=1&modificationDate=1457613666000&api=v2" data-linked-resource-id="62687061" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2016-0734-announcement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957" data-linked-resource-container-version="9">CVE-2016-0734</a> - ActiveMQ Web Console - Clickjacking</li><li><a shape="rect" href="security-advisories.data/CVE-2016-0782-announcement.txt?version=1&modificationDate=1457613720014&api=v2" data-linked-resource-id="62687062" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2016-0782-announce
ment.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957" data-linked-resource-container-version="9">CVE-2016-0782</a> - ActiveMQ Web Console - Cross-Site Scripting</li></ul><h3 id="SecurityAdvisories-2015">2015</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2015-5254-announcement.txt?version=1&modificationDate=1449589734000&api=v2" data-linked-resource-id="61331741" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2015-5254-announcement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957" data-linked-resource-container-version="9">CVE-2015-5254</a> - Unsafe deserialization in ActiveMQ</li><li><a shape="rect" href="security-advisories.data/CVE-2015-1830-announcement.txt?version=2&modificationDate=1440426986000&api=v2" data-linked-resou
rce-id="61313840" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2015-1830-announcement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957" data-linked-resource-container-version="9">CVE-2015-1830</a> - Path traversal leading to unauthenticated RCE in ActiveMQ </li></ul><h3 id="SecurityAdvisories-2014">2014</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2014-3576-announcement.txt?version=1&modificationDate=1446901063000&api=v2" data-linked-resource-id="61327457" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-3576-announcement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957" data-linked-resource-container-version="9">CVE-2014-3576</a> - Remote Unauthenticated Shutdown of Br
oker (DoS)</li><li><a shape="rect" href="security-advisories.data/CVE-2014-3600-announcement.txt?version=2&modificationDate=1423051306000&api=v2" data-linked-resource-id="52035730" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-3600-announcement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957" data-linked-resource-container-version="9">CVE-2014-3600</a> - Apache ActiveMQ XXE with XPath selectors</li><li><a shape="rect" href="security-advisories.data/CVE-2014-3612-announcement.txt?version=2&modificationDate=1423051365000&api=v2" data-linked-resource-id="52035731" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-3612-announcement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957
" data-linked-resource-container-version="9">CVE-2014-3612</a> - ActiveMQ JAAS: LDAPLoginModule allows empty password authentication and Wildcard Interpretation</li><li><a shape="rect" href="security-advisories.data/CVE-2014-8110-announcement.txt?version=2&modificationDate=1423051381000&api=v2" data-linked-resource-id="52035732" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-8110-announcement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957" data-linked-resource-container-version="9">CVE-2014-8110</a> - <span style="line-height: 1.4285715;">ActiveMQ Web Console - Cross-Site Scripting</span><span style="line-height: 1.4285715;"><br clear="none"></span></li></ul><h2 id="SecurityAdvisories-ActiveMQApollo"><span style="line-height: 1.4285715;">ActiveMQ Apollo</span></h2><h3 id="SecurityAdvisories-2014.1"><span style="line-heigh
t: 1.4285715;">2014</span></h3><ul><li><span style="line-height: 1.4285715;"><span style="line-height: 1.4285715;"> </span></span><a shape="rect" href="security-advisories.data/CVE-2014-3579-announcement.txt?version=1&modificationDate=1423054118000&api=v2" data-linked-resource-id="52035737" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-3579-announcement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957" data-linked-resource-container-version="9">CVE-2014-3579</a><span style="line-height: 1.4285715;"> - ActiveMQ Apollo XXE with XPath selectors</span></li></ul><p><span style="line-height: 1.4285715;"> </span></p></div>
+<div class="wiki-content maincontent"><h2 id="SecurityAdvisories-ApacheActiveMQ">Apache ActiveMQ</h2><h3 id="SecurityAdvisories-2016">2016</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2016-0734-announcement.txt?version=1&modificationDate=1457613666000&api=v2" data-linked-resource-id="62687061" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2016-0734-announcement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957" data-linked-resource-container-version="10">CVE-2016-0734</a> - ActiveMQ Web Console - Clickjacking</li><li><a shape="rect" href="security-advisories.data/CVE-2016-0782-announcement.txt?version=2&modificationDate=1458229308000&api=v2" data-linked-resource-id="62687062" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2016-0782-announc
ement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957" data-linked-resource-container-version="10">CVE-2016-0782</a> - ActiveMQ Web Console - Cross-Site Scripting</li><li><a shape="rect" href="security-advisories.data/CVE-2016-3088-announcement.txt?version=4&modificationDate=1464022661036&api=v2" data-linked-resource-id="63406525" data-linked-resource-version="4" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2016-3088-announcement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957" data-linked-resource-container-version="10">CVE-2016-3088</a> - ActiveMQ Fileserver web application vulnerabilities</li></ul><h3 id="SecurityAdvisories-2015">2015</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2015-5254-announcement.txt?version=1&modificationDate=1449589734000&api=v
2" data-linked-resource-id="61331741" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2015-5254-announcement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957" data-linked-resource-container-version="10">CVE-2015-5254</a> - Unsafe deserialization in ActiveMQ</li><li><a shape="rect" href="security-advisories.data/CVE-2015-1830-announcement.txt?version=2&modificationDate=1440426986000&api=v2" data-linked-resource-id="61313840" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2015-1830-announcement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957" data-linked-resource-container-version="10">CVE-2015-1830</a> - Path traversal leading to unauthenticated RCE in ActiveMQ </li></ul><h3 id="SecurityAdviso
ries-2014">2014</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2014-3576-announcement.txt?version=1&modificationDate=1446901063000&api=v2" data-linked-resource-id="61327457" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-3576-announcement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957" data-linked-resource-container-version="10">CVE-2014-3576</a> - Remote Unauthenticated Shutdown of Broker (DoS)</li><li><a shape="rect" href="security-advisories.data/CVE-2014-3600-announcement.txt?version=2&modificationDate=1423051306000&api=v2" data-linked-resource-id="52035730" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-3600-announcement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-
id="51808957" data-linked-resource-container-version="10">CVE-2014-3600</a> - Apache ActiveMQ XXE with XPath selectors</li><li><a shape="rect" href="security-advisories.data/CVE-2014-3612-announcement.txt?version=2&modificationDate=1423051365000&api=v2" data-linked-resource-id="52035731" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-3612-announcement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957" data-linked-resource-container-version="10">CVE-2014-3612</a> - ActiveMQ JAAS: LDAPLoginModule allows empty password authentication and Wildcard Interpretation</li><li><a shape="rect" href="security-advisories.data/CVE-2014-8110-announcement.txt?version=2&modificationDate=1423051381000&api=v2" data-linked-resource-id="52035732" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-reso
urce-default-alias="CVE-2014-8110-announcement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957" data-linked-resource-container-version="10">CVE-2014-8110</a> - <span style="line-height: 1.4285715;">ActiveMQ Web Console - Cross-Site Scripting</span><span style="line-height: 1.4285715;"><br clear="none"></span></li></ul><h2 id="SecurityAdvisories-ActiveMQApollo"><span style="line-height: 1.4285715;">ActiveMQ Apollo</span></h2><h3 id="SecurityAdvisories-2014.1"><span style="line-height: 1.4285715;">2014</span></h3><ul><li><span style="line-height: 1.4285715;"><span style="line-height: 1.4285715;"> </span></span><a shape="rect" href="security-advisories.data/CVE-2014-3579-announcement.txt?version=1&modificationDate=1423054118000&api=v2" data-linked-resource-id="52035737" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-3579-anno
uncement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957" data-linked-resource-container-version="10">CVE-2014-3579</a><span style="line-height: 1.4285715;"> - ActiveMQ Apollo XXE with XPath selectors</span></li></ul><p><span style="line-height: 1.4285715;"> </span></p></div>
</td>
<td valign="top">
<div class="navigation">