activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cshan...@apache.org
Subject svn commit: r982387 - in /websites/production/activemq/content/security-advisories.data: CVE-2016-0734-announcement.txt CVE-2016-0782-announcement.txt
Date Thu, 10 Mar 2016 12:24:33 GMT
Author: cshannon
Date: Thu Mar 10 12:24:33 2016
New Revision: 982387

Log:
Adding CVE announcements

Added:
    websites/production/activemq/content/security-advisories.data/CVE-2016-0734-announcement.txt
    websites/production/activemq/content/security-advisories.data/CVE-2016-0782-announcement.txt

Added: websites/production/activemq/content/security-advisories.data/CVE-2016-0734-announcement.txt
==============================================================================
--- websites/production/activemq/content/security-advisories.data/CVE-2016-0734-announcement.txt
(added)
+++ websites/production/activemq/content/security-advisories.data/CVE-2016-0734-announcement.txt
Thu Mar 10 12:24:33 2016
@@ -0,0 +1,19 @@
+CVE-2016-0734: ActiveMQ Web Console - Clickjacking
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Apache ActiveMQ 5.0.0 - 5.13.1
+
+Description:
+The web based administration console does not set the X-Frame-Options header in HTTP responses.
This allows the console to be embedded in a frame or iframe which could then be used to cause
a user to perform an unintended action in the console.
+
+
+Mitigation:
+Upgrade to Apache ActiveMQ 5.13.2
+
+Credit:
+This issue was discovered by Michael Furman

Added: websites/production/activemq/content/security-advisories.data/CVE-2016-0782-announcement.txt
==============================================================================
--- websites/production/activemq/content/security-advisories.data/CVE-2016-0782-announcement.txt
(added)
+++ websites/production/activemq/content/security-advisories.data/CVE-2016-0782-announcement.txt
Thu Mar 10 12:24:33 2016
@@ -0,0 +1,19 @@
+CVE-2016-0782: ActiveMQ Web Console - Cross-Site Scripting
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Apache ActiveMQ 5.0.0 - 5.13.1
+
+Description:
+Several instances of cross-site scripting vulnerabilities were identified to be present in
the web based administration console as well as the ability to trigger a Java memory dump
into an arbitrary folder. The root cause of these issues are improper user data output validation
and incorrect permissions configured on Jolokia.
+
+
+Mitigation:
+Upgrade to Apache ActiveMQ 5.11.4, 5.12.3, or 5.13.2
+
+Credit:
+This issue was discovered by Vladimir Ivanov (Positive Technologies)



Mime
View raw message