svn commit: r982387 - in /websites/production/activemq/content/security-advisories.data: CVE-2016-0734-announcement.txt CVE-2016-0782-announcement.txt

Thu, 10 Mar 2016 04:25:25 -0800 

Author: cshannon
Date: Thu Mar 10 12:24:33 2016
New Revision: 982387

Log:
Adding CVE announcements

Added:
    
websites/production/activemq/content/security-advisories.data/CVE-2016-0734-announcement.txt
    
websites/production/activemq/content/security-advisories.data/CVE-2016-0782-announcement.txt

Added: 
websites/production/activemq/content/security-advisories.data/CVE-2016-0734-announcement.txt
==============================================================================
--- 
websites/production/activemq/content/security-advisories.data/CVE-2016-0734-announcement.txt
 (added)
+++ 
websites/production/activemq/content/security-advisories.data/CVE-2016-0734-announcement.txt
 Thu Mar 10 12:24:33 2016
@@ -0,0 +1,19 @@
+CVE-2016-0734: ActiveMQ Web Console - Clickjacking
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Apache ActiveMQ 5.0.0 - 5.13.1
+
+Description:
+The web based administration console does not set the X-Frame-Options header 
in HTTP responses. This allows the console to be embedded in a frame or iframe 
which could then be used to cause a user to perform an unintended action in the 
console.
+
+
+Mitigation:
+Upgrade to Apache ActiveMQ 5.13.2
+
+Credit:
+This issue was discovered by Michael Furman

Added: 
websites/production/activemq/content/security-advisories.data/CVE-2016-0782-announcement.txt
==============================================================================
--- 
websites/production/activemq/content/security-advisories.data/CVE-2016-0782-announcement.txt
 (added)
+++ 
websites/production/activemq/content/security-advisories.data/CVE-2016-0782-announcement.txt
 Thu Mar 10 12:24:33 2016
@@ -0,0 +1,19 @@
+CVE-2016-0782: ActiveMQ Web Console - Cross-Site Scripting
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Apache ActiveMQ 5.0.0 - 5.13.1
+
+Description:
+Several instances of cross-site scripting vulnerabilities were identified to 
be present in the web based administration console as well as the ability to 
trigger a Java memory dump into an arbitrary folder. The root cause of these 
issues are improper user data output validation and incorrect permissions 
configured on Jolokia.
+
+
+Mitigation:
+Upgrade to Apache ActiveMQ 5.11.4, 5.12.3, or 5.13.2
+
+Credit:
+This issue was discovered by Vladimir Ivanov (Positive Technologies)

Reply via email to