activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r974985 - in /websites/production/activemq/content: cache/main.pageCache message-features.html security-advisories.data/CVE-2015-5254-announcement.txt security-advisories.html
Date Tue, 08 Dec 2015 16:21:54 GMT
Author: buildbot
Date: Tue Dec  8 16:21:54 2015
New Revision: 974985

Log:
Production update by buildbot for activemq

Added:
    websites/production/activemq/content/security-advisories.data/CVE-2015-5254-announcement.txt
Modified:
    websites/production/activemq/content/cache/main.pageCache
    websites/production/activemq/content/message-features.html
    websites/production/activemq/content/security-advisories.html

Modified: websites/production/activemq/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/activemq/content/message-features.html
==============================================================================
--- websites/production/activemq/content/message-features.html (original)
+++ websites/production/activemq/content/message-features.html Tue Dec  8 16:21:54 2015
@@ -72,7 +72,7 @@
   <tbody>
         <tr>
         <td valign="top" width="100%">
-<div class="wiki-content maincontent"><ul class="childpages-macro"><li><a
shape="rect" href="activemq-message-properties.html">ActiveMQ Message Properties</a></li><li><a
shape="rect" href="advisory-message.html">Advisory Message</a></li><li><a
shape="rect" href="blob-messages.html">Blob Messages</a></li><li><a
shape="rect" href="delay-and-schedule-message-delivery.html">Delay and Schedule Message
Delivery</a></li><li><a shape="rect" href="jms-streams.html">JMS Streams</a></li><li><a
shape="rect" href="message-transformation.html">Message Transformation</a></li><li><a
shape="rect" href="object-message.html">Object Message</a></li><li><a
shape="rect" href="structured-message-properties-and-mapmessages.html">Structured Message
Properties and MapMessages</a></li></ul></div>
+<div class="wiki-content maincontent"><ul class="childpages-macro"><li><a
shape="rect" href="activemq-message-properties.html">ActiveMQ Message Properties</a></li><li><a
shape="rect" href="advisory-message.html">Advisory Message</a></li><li><a
shape="rect" href="blob-messages.html">Blob Messages</a></li><li><a
shape="rect" href="delay-and-schedule-message-delivery.html">Delay and Schedule Message
Delivery</a></li><li><a shape="rect" href="jms-streams.html">JMS Streams</a></li><li><a
shape="rect" href="message-transformation.html">Message Transformation</a></li><li><a
shape="rect" href="objectmessage.html">ObjectMessage</a></li><li><a
shape="rect" href="structured-message-properties-and-mapmessages.html">Structured Message
Properties and MapMessages</a></li></ul></div>
         </td>
         <td valign="top">
           <div class="navigation">

Added: websites/production/activemq/content/security-advisories.data/CVE-2015-5254-announcement.txt
==============================================================================
--- websites/production/activemq/content/security-advisories.data/CVE-2015-5254-announcement.txt
(added)
+++ websites/production/activemq/content/security-advisories.data/CVE-2015-5254-announcement.txt
Tue Dec  8 16:21:54 2015
@@ -0,0 +1,28 @@
+CVE-2015-5254 - Unsafe deserialization in ActiveMQ
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Apache ActiveMQ 5.0.0 - 5.12.1
+
+Description:
+
+JMS Object messages depends on Java Serialization for marshaling/unmashaling of the message
payload. There are a couple of places inside the broker where deserialization can occur, like
web console or stomp object message transformation. As deserialization of untrusted data can
leaed to security flaws as demonstrated in various reports, this leaves the broker vunerable
to this attack vector. Additionally, applications that consume ObjectMessage type of messages
can be vunerable as they deserlize objects on ObjectMessage.getObject() calls.
+
+Mitigation:
+
+Upgrade to Apache ActiveMQ 5.13.0. Additionally if you're using ObjectMessage message type,
you need to explicitly list trusted packages. To see how to do that, please take a look at:
http://activemq.apache.org/objectmessage.html
+
+
+
+Credit:
+This issue was discovered by:
+
+* Alvaro Muñoz   -   @pwntester
+* Matthias Kaiser   -   @matthias_kaiser
+* Christian Schneider   -   @cschneider4711
+
+Special thanks to Matthias Kaiser for providing the detailed analysis of the vunerability.

Modified: websites/production/activemq/content/security-advisories.html
==============================================================================
--- websites/production/activemq/content/security-advisories.html (original)
+++ websites/production/activemq/content/security-advisories.html Tue Dec  8 16:21:54 2015
@@ -72,7 +72,7 @@
   <tbody>
         <tr>
         <td valign="top" width="100%">
-<div class="wiki-content maincontent"><h2 id="SecurityAdvisories-ApacheActiveMQ">Apache
ActiveMQ</h2><h3 id="SecurityAdvisories-2015">2015</h3><ul><li><a
shape="rect" href="security-advisories.data/CVE-2015-1830-announcement.txt?version=2&amp;modificationDate=1440426986000&amp;api=v2"
data-linked-resource-id="61313840" data-linked-resource-version="2" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-1830-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="5">CVE-2015-1830</a> - Path traversal leading
to unauthenticated RCE in ActiveMQ&#160;</li></ul><h3 id="SecurityAdvisories-2014">2014</h3><ul><li><a
shape="rect" href="security-advisories.data/CVE-2014-3576-announcement.txt?version=1&amp;modificationDate=1446901063000&amp;api=v2"
data-linked-resource-id="61327457" data-linked-resource-version="1" data-linked-resource-type="a
 ttachment" data-linked-resource-default-alias="CVE-2014-3576-announcement.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="5">CVE-2014-3576</a> -&#160;Remote Unauthenticated
Shutdown of Broker (DoS)</li><li><a shape="rect" href="security-advisories.data/CVE-2014-3600-announcement.txt?version=2&amp;modificationDate=1423051306000&amp;api=v2"
data-linked-resource-id="52035730" data-linked-resource-version="2" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3600-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="5">CVE-2014-3600</a>&#160;-&#160;Apache
ActiveMQ XXE with XPath selectors</li><li><a shape="rect" href="security-advisories.data/CVE-2014-3612-announcement.txt?version=2&amp;modificationDate=1423051365000&a
 mp;api=v2" data-linked-resource-id="52035731" data-linked-resource-version="2" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3612-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="5">CVE-2014-3612</a> -&#160;ActiveMQ
JAAS: LDAPLoginModule allows empty password authentication and Wildcard Interpretation</li><li><a
shape="rect" href="security-advisories.data/CVE-2014-8110-announcement.txt?version=2&amp;modificationDate=1423051381000&amp;api=v2"
data-linked-resource-id="52035732" data-linked-resource-version="2" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-8110-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="5">CVE-2014-8110</a> -&#160;<span
style="line-heigh
 t: 1.4285715;">ActiveMQ Web Console - Cross-Site Scripting</span><span style="line-height:
1.4285715;"><br clear="none"></span></li></ul><h2 id="SecurityAdvisories-ActiveMQApollo"><span
style="line-height: 1.4285715;">ActiveMQ Apollo</span></h2><h3 id="SecurityAdvisories-2014.1"><span
style="line-height: 1.4285715;">2014</span></h3><ul><li><span
style="line-height: 1.4285715;"><span style="line-height: 1.4285715;">&#160;</span></span><a
shape="rect" href="security-advisories.data/CVE-2014-3579-announcement.txt?version=1&amp;modificationDate=1423054118000&amp;api=v2"
data-linked-resource-id="52035737" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3579-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="5">CVE-2014-3579</a><span style="line-height:
1.4285715;"> -&#160;ActiveMQ Apollo XXE with
  XPath selectors</span></li></ul><p><span style="line-height:
1.4285715;">&#160;</span></p></div>
+<div class="wiki-content maincontent"><h2 id="SecurityAdvisories-ApacheActiveMQ">Apache
ActiveMQ</h2><h3 id="SecurityAdvisories-2015">2015</h3><ul><li><a
shape="rect" class="external-link" href="http://cwiki.apache.org">CVE-2015-5254</a>
-&#160;Unsafe deserialization in ActiveMQ</li><li><a shape="rect" href="security-advisories.data/CVE-2015-1830-announcement.txt?version=2&amp;modificationDate=1440426986000&amp;api=v2"
data-linked-resource-id="61313840" data-linked-resource-version="2" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-1830-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="7">CVE-2015-1830</a> - Path traversal leading
to unauthenticated RCE in ActiveMQ&#160;</li></ul><h3 id="SecurityAdvisories-2014">2014</h3><ul><li><a
shape="rect" href="security-advisories.data/CVE-2014-3576-announcement.txt?version=1&amp;mo
 dificationDate=1446901063000&amp;api=v2" data-linked-resource-id="61327457" data-linked-resource-version="1"
data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-3576-announcement.txt"
data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="7">CVE-2014-3576</a> -&#160;Remote Unauthenticated
Shutdown of Broker (DoS)</li><li><a shape="rect" href="security-advisories.data/CVE-2014-3600-announcement.txt?version=2&amp;modificationDate=1423051306000&amp;api=v2"
data-linked-resource-id="52035730" data-linked-resource-version="2" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3600-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="7">CVE-2014-3600</a>&#160;-&#160;Apache
ActiveMQ XXE with XPath selec
 tors</li><li><a shape="rect" href="security-advisories.data/CVE-2014-3612-announcement.txt?version=2&amp;modificationDate=1423051365000&amp;api=v2"
data-linked-resource-id="52035731" data-linked-resource-version="2" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3612-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="7">CVE-2014-3612</a> -&#160;ActiveMQ
JAAS: LDAPLoginModule allows empty password authentication and Wildcard Interpretation</li><li><a
shape="rect" href="security-advisories.data/CVE-2014-8110-announcement.txt?version=2&amp;modificationDate=1423051381000&amp;api=v2"
data-linked-resource-id="52035732" data-linked-resource-version="2" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-8110-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain"
  data-linked-resource-container-id="51808957" data-linked-resource-container-version="7">CVE-2014-8110</a>
-&#160;<span style="line-height: 1.4285715;">ActiveMQ Web Console - Cross-Site Scripting</span><span
style="line-height: 1.4285715;"><br clear="none"></span></li></ul><h2
id="SecurityAdvisories-ActiveMQApollo"><span style="line-height: 1.4285715;">ActiveMQ
Apollo</span></h2><h3 id="SecurityAdvisories-2014.1"><span style="line-height:
1.4285715;">2014</span></h3><ul><li><span style="line-height:
1.4285715;"><span style="line-height: 1.4285715;">&#160;</span></span><a
shape="rect" href="security-advisories.data/CVE-2014-3579-announcement.txt?version=1&amp;modificationDate=1423054118000&amp;api=v2"
data-linked-resource-id="52035737" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3579-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="518
 08957" data-linked-resource-container-version="7">CVE-2014-3579</a><span style="line-height:
1.4285715;"> -&#160;ActiveMQ Apollo XXE with XPath selectors</span></li></ul><p><span
style="line-height: 1.4285715;">&#160;</span></p></div>
         </td>
         <td valign="top">
           <div class="navigation">



Mime
View raw message