This is an automated email from the ASF dual-hosted git repository.
robbie pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
commit f6de05a551ea9ee03b1dda0f89382d843ed4ba69
Author: Robbie Gemmell <rob...@apache.org>
AuthorDate: Thu Mar 28 15:21:04 2019 +0000
Improvements around security advisory page(s):
- Create component pages for prior advisories, cross link to from central
page.
- Detail reporting process, include on contact nav for visibility.
- Add a couple of missing Artemis entries with matching txt files for
consistency.
---
src/_includes/nav.html | 3 +-
src/projects/artemis/security.md | 16 ++++++
src/projects/classic/security.md | 38 +++++++++++++++
src/security-advisories-apollo.md | 18 +++++++
.../CVE-2016-4978-announcement.txt | 56 +++++++++++++++++++++
.../CVE-2017-12174-announcement.txt | 26 ++++++++++
src/security-advisories.md | 57 +++++++++-------------
7 files changed, 178 insertions(+), 36 deletions(-)
diff --git a/src/_includes/nav.html b/src/_includes/nav.html
index e880c3f..1b4df5d 100644
--- a/src/_includes/nav.html
+++ b/src/_includes/nav.html
@@ -40,6 +40,7 @@
<li class="nav-item"><a
class="dropdown-item" href="{{site.baseurl}}/contact#chat">Chat</a></li>
<li class="nav-item"><a
class="dropdown-item" href="{{site.baseurl}}/contact#issues">Report
Issues</a></li>
<li class="nav-item"><a
class="dropdown-item"
href="{{site.baseurl}}/contact#contributing">Contributing</a></li>
+ <li class="nav-item"><a
class="dropdown-item"
href="{{site.baseurl}}/security-advisories.html">Security</a></li>
</ul>
</div>
</div>
@@ -72,7 +73,7 @@
<li class="nav-item"><a
class="dropdown-item" href="https://www.apache.org/licenses/";>License</a></li>
<li class="nav-item"><a
class="dropdown-item"
href="https://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li>
<li class="nav-item"><a
class="dropdown-item"
href="https://www.apache.org/foundation/thanks.html";>Thanks</a></li>
- <li class="nav-item"><a
class="dropdown-item" href="https://www.apache.org/security/";>Security</a></li>
+ <li class="nav-item"><a
class="dropdown-item"
href="{{site.baseurl}}/security-advisories.html">Security</a></li>
<li class="nav-item"><a
class="dropdown-item"
href="https://www.apache.org/events/current-event";>Events</a></li>
<li class="nav-item"><a
class="dropdown-item"
href="https://people.apache.org/phonebook.html?pmc=activemq";>PMC &
Committers</a></li>
<li class="nav-item"><a
class="dropdown-item" href="{{site.baseurl}}/team/reports">Board
Reports</a></li>
diff --git a/src/projects/artemis/security.md b/src/projects/artemis/security.md
new file mode 100644
index 0000000..f2d495d
--- /dev/null
+++ b/src/projects/artemis/security.md
@@ -0,0 +1,16 @@
+---
+layout: default_md
+title: Security Advisories - ActiveMQ Artemis
+title-class: page-title-artemis
+type: artemis
+---
+
+Details of security problems fixed in released versions of Apache ActiveMQ
Artemis are detailed below.
+
+See the main [Security Advisories](../../security-advisories) page for details
for other components and general information such as reporting new security
issues.
+
+#### 2018
+*
[CVE-2017-12174](../../security-advisories.data/CVE-2017-12174-announcement.txt)
- Memory exhaustion via UDP and JGroups discovery
+
+#### 2016
+*
[CVE-2016-4978](../../security-advisories.data/CVE-2016-4978-announcement.txt)
- Apache ActiveMQ Artemis: Deserialization of untrusted input vunerability
diff --git a/src/projects/classic/security.md b/src/projects/classic/security.md
new file mode 100644
index 0000000..c6996f1
--- /dev/null
+++ b/src/projects/classic/security.md
@@ -0,0 +1,38 @@
+---
+layout: default_md
+title: Security Advisories - ActiveMQ 5.x
+title-class: page-title-activemq5
+type: activemq5
+---
+
+Details of security problems fixed in released versions of Apache ActiveMQ 5.x
are detailed below.
+
+See the main [Security Advisories](../../security-advisories) page for details
for other components and general information such as reporting new security
issues.
+
+#### 2019
+*
[CVE-2019-0222](../../security-advisories.data/CVE-2019-0222-announcement.txt)
- Corrupt MQTT frame can cause broker shutdown
+
+#### 2018
+*
[CVE-2018-8006](../../security-advisories.data/CVE-2018-8006-announcement.txt)
- ActiveMQ Web Console - Cross-Site Scripting
+*
[CVE-2017-15709](../../security-advisories.data/CVE-2017-15709-announcement.txt)
- Information Leak
+*
[CVE-2018-11775](../../security-advisories.data/CVE-2018-11775-announcement.txt)
- Missing TLS Hostname Verification
+
+#### 2017
+*
[CVE-2015-7559](../../security-advisories.data/CVE-2015-7559-announcement.txt)
- DoS in client via shutdown command
+
+#### 2016
+*
[CVE-2016-6810](../../security-advisories.data/CVE-2016-6810-announcement.txt)
- ActiveMQ Web Console - Cross-Site Scripting
+*
[CVE-2016-0734](../../security-advisories.data/CVE-2016-0734-announcement.txt)
- ActiveMQ Web Console - Clickjacking
+*
[CVE-2016-0782](../../security-advisories.data/CVE-2016-0782-announcement.txt)
- ActiveMQ Web Console - Cross-Site Scripting
+*
[CVE-2016-3088](../../security-advisories.data/CVE-2016-3088-announcement.txt)
- ActiveMQ Fileserver web application vulnerabilities
+
+#### 2015
+*
[CVE-2015-5254](../../security-advisories.data/CVE-2015-5254-announcement.txt)
- Unsafe deserialization in ActiveMQ
+*
[CVE-2015-1830](../../security-advisories.data/CVE-2015-1830-announcement.txt)
- Path traversal leading to unauthenticated RCE in ActiveMQ
+
+#### 2014
+*
[CVE-2014-3576](../../security-advisories.data/CVE-2014-3576-announcement.txt)
- Remote Unauthenticated Shutdown of Broker (DoS)
+*
[CVE-2014-3600](../../security-advisories.data/CVE-2014-3600-announcement.txt)
- Apache ActiveMQ XXE with XPath selectors
+*
[CVE-2014-3612](../../security-advisories.data/CVE-2014-3612-announcement.txt)
- ActiveMQ JAAS: LDAPLoginModule allows empty password authentication and
Wildcard Interpretation
+*
[CVE-2014-8110](../../security-advisories.data/CVE-2014-8110-announcement.txt)
- ActiveMQ Web Console - Cross-Site Scripting
+
diff --git a/src/security-advisories-apollo.md
b/src/security-advisories-apollo.md
new file mode 100644
index 0000000..3cbaa65
--- /dev/null
+++ b/src/security-advisories-apollo.md
@@ -0,0 +1,18 @@
+---
+layout: default_md
+title: Security Advisories - ActiveMQ Apollo
+title-class: page-title-activemq5
+type: activemq5
+---
+
+**NOTE: ActiveMQ Apollo is deprecated and no longer maintained. We strongly
recommend you use [ActiveMQ 5.x](projects/classic) or [ActiveMQ
Artemis](projects/artemis) instead.**
+
+Details of security problems fixed in released versions of Apache ActiveMQ
Apollo are detailed below.
+
+See the main [Security Advisories](security-advisories) page for details for
other components and general information such as reporting new issues.
+
+#### 2014
+*
[CVE-2014-3579](security-advisories.data/CVE-2014-3579-announcement.txt?version=1&modificationDate=1423054118000&api=v2)
- ActiveMQ Apollo XXE with XPath selectors
+
+
+
diff --git a/src/security-advisories.data/CVE-2016-4978-announcement.txt
b/src/security-advisories.data/CVE-2016-4978-announcement.txt
new file mode 100644
index 0000000..2af3a40
--- /dev/null
+++ b/src/security-advisories.data/CVE-2016-4978-announcement.txt
@@ -0,0 +1,56 @@
+[CVE-2016-4978] Apache ActiveMQ Artemis: Deserialization of untrusted input
vunerability
+
+Severity: Important
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Apache Artemis 1.0.0, 1.1.0, 1.2.0, 1.3.0
+
+A class implementing the Serializable interface is free to implement
+the “readObject(java.io.ObjectInputStream
+in)” method however it chooses. This readObject method is used during the
+deserialization process, when constructing a java object from a serialized
+byte stream. It is possible to implement the method in such a way that can
+result in java code being executed during the deserialization of an object
+of this class (gadget class).
+
+The JMS specification outlines a getObject() method on the
+javax.jms.ObjectMessage
+class. The Apache Artemis implementation of this method allows
+deserialization of objects, from untrusted input. There are several places
+where Apache Artemis uses this getObject() method. In the JMS Core client,
+the Artemis broker and the Artemis REST component. These Artemis components
+may therefore be vulnerable to a remote code execution attack. Successful
+exploitations of this vulnerability rely on these "gadget classes" being
+present on the Artemis classpath and the sender of the untrusted input
+being authenticated and authorized to send messages to the Artemis broker.
+
+The code execution exploit may happen under the following circumstances:
+
+· In the JMS client when consuming an object message.
+
+· In the REST module when a REST client requests to consume a message that
+was originally sent as an object message (cross protocol).
+
+· In the Artemis management layer, when a client sends an object message to
+a management address.
+
+· On the broker when an AMQP client consumes a message that was originally
+sent as an object message (cross protocol).
+
+For this exploit to occur the sender of the compromised message needs to be
+authenticated and authorized in order to send the message to the Artemis
+broker and affected classes (gadget classes) present on the Artemis class
+path.
+
+Mitigation:
+To secure the Apache Artemis broker and management layer:
+** Upgrade to 1.4.0.
+
+For the Apache Artemis REST module and Apache Artemis JMS client.
+** Upgrade to Apache Artemis 1.4.0
+** Configure the appropriate deserialization white/black lists as outlined
+in the Artemis documentation.
+
+Credit: This issue was discovered by Matthias Kaiser of Code White (
+www.code-white.com)
diff --git a/src/security-advisories.data/CVE-2017-12174-announcement.txt
b/src/security-advisories.data/CVE-2017-12174-announcement.txt
new file mode 100644
index 0000000..06d9091
--- /dev/null
+++ b/src/security-advisories.data/CVE-2017-12174-announcement.txt
@@ -0,0 +1,26 @@
+CVE-2017-12174: Memory exhaustion via UDP and JGroups discovery
+
+Severity: High
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: 1.0.0, 1.1.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.5.1,
+1.5.2, 1.5.3, 1.5.4, 1.5.5, 2.0.0, 2.1.0, 2.2.0, 2.3.0
+
+Description:
+
+If an Apache Artemis broker is configured with discovery enabled (either
+UDP or JGroups), on receiving of a packet over a discovery endpoint, Apache
+Artemis will attempt to decode the packet and as part of it an encoded
+simple string. The first four bytes of the encoded simple string represent
+it's length. During the decoding process Apache Artemis will create a byte
+array of the same length. It is possible therefore to send a manipulated
+packet to Apache Artemis with a very large integer in the first four bytes
+of the simple string encoding. Upon receiving the packet the broker will
+attempt to allocate a byte array of this large size. This could result in
+heap memory exhaustion, full GC or in the worst case an unrecoverable
+OutOfMemoryError, resulting in loss of service.
+
+Mitigation: Upgrade to Apache Artemis 1.5.6 or 2.4.0
+
+Credit: This issue was discovered by Bharti Kundal of Red Hat Inc.
diff --git a/src/security-advisories.md b/src/security-advisories.md
index 67b1dd6..abc9b83 100644
--- a/src/security-advisories.md
+++ b/src/security-advisories.md
@@ -1,47 +1,34 @@
---
layout: default_md
-title: Security Advisories
-title-class: page-title-activemq5
-type: activemq5
+title: Security Advisories
+title-class: page-title-main
+type: main
---
-[Community](community) > [Security Advisories](security-advisories)
+#### Prior updates
+Details of security problems fixed in released versions of individual Apache
+ActiveMQ components are detailed at:
-Apache ActiveMQ
----------------
+* [ActiveMQ 5](projects/classic/security)
+* [ActiveMQ Artemis](projects/artemis/security)
+* [ActiveMQ Apollo](security-advisories-apollo)
-#### 2019
-* [CVE-2019-0222](security-advisories.data/CVE-2019-0222-announcement.txt) -
Corrupt MQTT frame can cause broker shutdown
+#### Reporting new security problems with Apache ActiveMQ components
-#### 2018
-* [CVE-2018-8006](security-advisories.data/CVE-2018-8006-announcement.txt) -
ActiveMQ Web Console - Cross-Site Scripting
-* [CVE-2017-15709](security-advisories.data/CVE-2017-15709-announcement.txt)
- Information Leak
-* [CVE-2018-11775](security-advisories.data/CVE-2018-11775-announcement.txt)
- Missing TLS Hostname Verification
+We strongly encourage people to report security problems privately, using the
+security mailing list of the ASF Security Team, before disclosing them in a
+public forum.
-#### 2017
-* [CVE-2015-7559](security-advisories.data/CVE-2015-7559-announcement.txt) -
DoS in client via shutdown command
-
-#### 2016
-* [CVE-2016-6810](security-advisories.data/CVE-2016-6810-announcement.txt) -
ActiveMQ Web Console - Cross-Site Scripting
-* [CVE-2016-0734](security-advisories.data/CVE-2016-0734-announcement.txt) -
ActiveMQ Web Console - Clickjacking
-* [CVE-2016-0782](security-advisories.data/CVE-2016-0782-announcement.txt) -
ActiveMQ Web Console - Cross-Site Scripting
-* [CVE-2016-3088](security-advisories.data/CVE-2016-3088-announcement.txt) -
ActiveMQ Fileserver web application vulnerabilities
+Please see the [ASF Security Team](https://www.apache.org/security/) pages
+for contact information and further detail on the process.
-#### 2015
-* [CVE-2015-5254](security-advisories.data/CVE-2015-5254-announcement.txt) -
Unsafe deserialization in ActiveMQ
-* [CVE-2015-1830](security-advisories.data/CVE-2015-1830-announcement.txt) -
Path traversal leading to unauthenticated RCE in ActiveMQ
-
-#### 2014
-* [CVE-2014-3576](security-advisories.data/CVE-2014-3576-announcement.txt) -
Remote Unauthenticated Shutdown of Broker (DoS)
-* [CVE-2014-3600](security-advisories.data/CVE-2014-3600-announcement.txt) -
Apache ActiveMQ XXE with XPath selectors
-* [CVE-2014-3612](security-advisories.data/CVE-2014-3612-announcement.txt) -
ActiveMQ JAAS: LDAPLoginModule allows empty password authentication and
Wildcard Interpretation
-* [CVE-2014-8110](security-advisories.data/CVE-2014-8110-announcement.txt) -
ActiveMQ Web Console - Cross-Site Scripting
-
-
-ActiveMQ Apollo
----------------
-#### 2014
-*
[CVE-2014-3579](security-advisories.data/CVE-2014-3579-announcement.txt?version=1&modificationDate=1423054118000&api=v2)
- ActiveMQ Apollo XXE with XPath selectors
+The ASF Security Team cannot accept regular bug reports or other queries,
+mail sent to tthem which does not relate to security problems in Apache
+software will be ignored.
+General questions such as those about using ActiveMQ components, or whether an
+exiting published vulnerability applies to your application, etc, should be
+addressed to our regular channels, e.g the users mailing list. Please see the
+[Contact page](contact) for details of how to subscribe.
