activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Int3 (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AMQ-5745) Code analysis revealed multiple vulnerable sections of code
Date Mon, 27 Apr 2015 04:15:38 GMT
Int3 created AMQ-5745:
-------------------------

             Summary: Code analysis revealed multiple vulnerable sections of code
                 Key: AMQ-5745
                 URL: https://issues.apache.org/jira/browse/AMQ-5745
             Project: ActiveMQ
          Issue Type: Bug
    Affects Versions: 5.9.0
            Reporter: Int3
         Attachments: activemq.patch

Code analysis revealed multiple vulnerable sections of code in ActiveMQ 5.9.0.  A patch file
is attached that address the issues below.

activemq-web/src/main/resources/org/apache/activemq/web/prototype.js:700,706

	This code uses the  "eval()" function to evaluate JSON code -- this method is deprecated
and dangerous and has been replaced by the JSON.parse() method, which is supported in all
modern browsers -- considering that less than 2% of modern computers are still using legacy
browsers, we believe the code should be upgraded to use the more secure method

activemq-broker/src/main/java/org/apache/activemq/broker/BrokerService.java:248
activemq-broker/src/main/java/org/apache/activemq/broker/PropertiesBrokerFactory.java:59
activemq-broker/src/main/java/org/apache/activemq/util/IOHelper.java:257,259
activemq-client/src/main/java/org/apache/activemq/ActiveMQSslConnectionFactory.java:130,162
activemq-client/src/main/java/org/apache/activemq/blob/DefaultBlobUploadStrategy.java:43,58
activemq-client/src/main/java/org/apache/activemq/blob/FTPBlobUploadStrategy.java:41
activemq-client/src/main/java/org/apache/activemq/blob/FileSystemBlobStrategy.java:68,77
activemq-console/src/main/java/org/apache/activemq/console/command/CreateCommand.java:194,218,219
activemq-fileserver/src/main/java/org/apache/activemq/util/IOHelper.java:102,104
activemq-jaas/src/main/java/org/apache/activemq/jaas/TextFileCertificateLoginModule.java:92,127
activemq-jdbc-store/src/main/java/org/apache/activemq/store/jdbc/adapter/BlobJDBCAdapter.java:142
activemq-jdbc-store/src/main/java/org/apache/activemq/store/jdbc/adapter/StreamJDBCAdapter.java:51
activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/page/PageFile.java:198
activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/util/DiskBenchmark.java:214,246,270
activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/ProtocolConverter.java:68
activemq-tooling/activemq-perf-maven-plugin/src/main/java/org/apache/activemq/tool/AbstractJmsClientSystem.java:266
activemq-web/src/main/java/org/apache/activemq/web/AjaxServlet.java:67
activemq-tooling/activemq-perf-maven-plugin/src/main/java/org/apache/activemq/tool/JmsProducerClient.java:356
activemq-tooling/activemq-perf-maven-plugin/src/main/java/org/apache/activemq/tool/reports/XmlFilePerfReportWriter.java:198

	Resource leaks are possible at these code locations (the patched code releases the resources
within a finally() statement)

activemq-broker/src/main/java/org/apache/activemq/broker/jmx/DestinationView.java:330
activemq-client/src/main/java/org/apache/activemq/ActiveMQConnectionFactory.java:283,290
activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/journal/CallerBufferingDataFileAppender.java:182
activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/journal/DataFileAppender.java:391
activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/journal/Journal.java:568

	NULL dereferences are possible at these code locations

activemq-broker/src/main/java/org/apache/activemq/transport/vm/VMTransport.java:269

	Double-locking of this form is vulnerable to race conditions

activemq-http/src/main/java/org/apache/activemq/transport/http/HttpTunnelServlet.java:196,236
activemq-web/src/main/java/org/apache/activemq/web/MessageServlet.java:278,284

	XSS reflection is possible at these code locations (an XSS filter should be added)

activemq-fileserver/src/main/java/org/apache/activemq/util/RestFilter.java:72

	Path manipulation is possible via ".." directory traversal

activemq-client/src/main/java/org/apache/activemq/thread/PooledTaskRunner.java:141

	A return statement inside a finally block will cause any exception that might be thrown in
the try or catch block to be discarded.

activemq-log4j-appender/src/main/java/org/apache/activemq/util/JmsLogAppender.java:68

	Recording passwords to a logfile in plaintext is inadvisable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message