This is an automated email from the ASF dual-hosted git repository. robbie pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/activemq-website.git
commit f6de05a551ea9ee03b1dda0f89382d843ed4ba69 Author: Robbie Gemmell <rob...@apache.org> AuthorDate: Thu Mar 28 15:21:04 2019 +0000 Improvements around security advisory page(s): - Create component pages for prior advisories, cross link to from central page. - Detail reporting process, include on contact nav for visibility. - Add a couple of missing Artemis entries with matching txt files for consistency. --- src/_includes/nav.html | 3 +- src/projects/artemis/security.md | 16 ++++++ src/projects/classic/security.md | 38 +++++++++++++++ src/security-advisories-apollo.md | 18 +++++++ .../CVE-2016-4978-announcement.txt | 56 +++++++++++++++++++++ .../CVE-2017-12174-announcement.txt | 26 ++++++++++ src/security-advisories.md | 57 +++++++++------------- 7 files changed, 178 insertions(+), 36 deletions(-) diff --git a/src/_includes/nav.html b/src/_includes/nav.html index e880c3f..1b4df5d 100644 --- a/src/_includes/nav.html +++ b/src/_includes/nav.html @@ -40,6 +40,7 @@ <li class="nav-item"><a class="dropdown-item" href="{{site.baseurl}}/contact#chat">Chat</a></li> <li class="nav-item"><a class="dropdown-item" href="{{site.baseurl}}/contact#issues">Report Issues</a></li> <li class="nav-item"><a class="dropdown-item" href="{{site.baseurl}}/contact#contributing">Contributing</a></li> + <li class="nav-item"><a class="dropdown-item" href="{{site.baseurl}}/security-advisories.html">Security</a></li> </ul> </div> </div> @@ -72,7 +73,7 @@ <li class="nav-item"><a class="dropdown-item" href="https://www.apache.org/licenses/">License</a></li> <li class="nav-item"><a class="dropdown-item" href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> <li class="nav-item"><a class="dropdown-item" href="https://www.apache.org/foundation/thanks.html">Thanks</a></li> - <li class="nav-item"><a class="dropdown-item" href="https://www.apache.org/security/">Security</a></li> + <li class="nav-item"><a class="dropdown-item" href="{{site.baseurl}}/security-advisories.html">Security</a></li> <li class="nav-item"><a class="dropdown-item" href="https://www.apache.org/events/current-event">Events</a></li> <li class="nav-item"><a class="dropdown-item" href="https://people.apache.org/phonebook.html?pmc=activemq">PMC & Committers</a></li> <li class="nav-item"><a class="dropdown-item" href="{{site.baseurl}}/team/reports">Board Reports</a></li> diff --git a/src/projects/artemis/security.md b/src/projects/artemis/security.md new file mode 100644 index 0000000..f2d495d --- /dev/null +++ b/src/projects/artemis/security.md @@ -0,0 +1,16 @@ +--- +layout: default_md +title: Security Advisories - ActiveMQ Artemis +title-class: page-title-artemis +type: artemis +--- + +Details of security problems fixed in released versions of Apache ActiveMQ Artemis are detailed below. + +See the main [Security Advisories](../../security-advisories) page for details for other components and general information such as reporting new security issues. + +#### 2018 +* [CVE-2017-12174](../../security-advisories.data/CVE-2017-12174-announcement.txt) - Memory exhaustion via UDP and JGroups discovery + +#### 2016 +* [CVE-2016-4978](../../security-advisories.data/CVE-2016-4978-announcement.txt) - Apache ActiveMQ Artemis: Deserialization of untrusted input vunerability diff --git a/src/projects/classic/security.md b/src/projects/classic/security.md new file mode 100644 index 0000000..c6996f1 --- /dev/null +++ b/src/projects/classic/security.md @@ -0,0 +1,38 @@ +--- +layout: default_md +title: Security Advisories - ActiveMQ 5.x +title-class: page-title-activemq5 +type: activemq5 +--- + +Details of security problems fixed in released versions of Apache ActiveMQ 5.x are detailed below. + +See the main [Security Advisories](../../security-advisories) page for details for other components and general information such as reporting new security issues. + +#### 2019 +* [CVE-2019-0222](../../security-advisories.data/CVE-2019-0222-announcement.txt) - Corrupt MQTT frame can cause broker shutdown + +#### 2018 +* [CVE-2018-8006](../../security-advisories.data/CVE-2018-8006-announcement.txt) - ActiveMQ Web Console - Cross-Site Scripting +* [CVE-2017-15709](../../security-advisories.data/CVE-2017-15709-announcement.txt) - Information Leak +* [CVE-2018-11775](../../security-advisories.data/CVE-2018-11775-announcement.txt) - Missing TLS Hostname Verification + +#### 2017 +* [CVE-2015-7559](../../security-advisories.data/CVE-2015-7559-announcement.txt) - DoS in client via shutdown command + +#### 2016 +* [CVE-2016-6810](../../security-advisories.data/CVE-2016-6810-announcement.txt) - ActiveMQ Web Console - Cross-Site Scripting +* [CVE-2016-0734](../../security-advisories.data/CVE-2016-0734-announcement.txt) - ActiveMQ Web Console - Clickjacking +* [CVE-2016-0782](../../security-advisories.data/CVE-2016-0782-announcement.txt) - ActiveMQ Web Console - Cross-Site Scripting +* [CVE-2016-3088](../../security-advisories.data/CVE-2016-3088-announcement.txt) - ActiveMQ Fileserver web application vulnerabilities + +#### 2015 +* [CVE-2015-5254](../../security-advisories.data/CVE-2015-5254-announcement.txt) - Unsafe deserialization in ActiveMQ +* [CVE-2015-1830](../../security-advisories.data/CVE-2015-1830-announcement.txt) - Path traversal leading to unauthenticated RCE in ActiveMQ + +#### 2014 +* [CVE-2014-3576](../../security-advisories.data/CVE-2014-3576-announcement.txt) - Remote Unauthenticated Shutdown of Broker (DoS) +* [CVE-2014-3600](../../security-advisories.data/CVE-2014-3600-announcement.txt) - Apache ActiveMQ XXE with XPath selectors +* [CVE-2014-3612](../../security-advisories.data/CVE-2014-3612-announcement.txt) - ActiveMQ JAAS: LDAPLoginModule allows empty password authentication and Wildcard Interpretation +* [CVE-2014-8110](../../security-advisories.data/CVE-2014-8110-announcement.txt) - ActiveMQ Web Console - Cross-Site Scripting + diff --git a/src/security-advisories-apollo.md b/src/security-advisories-apollo.md new file mode 100644 index 0000000..3cbaa65 --- /dev/null +++ b/src/security-advisories-apollo.md @@ -0,0 +1,18 @@ +--- +layout: default_md +title: Security Advisories - ActiveMQ Apollo +title-class: page-title-activemq5 +type: activemq5 +--- + +**NOTE: ActiveMQ Apollo is deprecated and no longer maintained. We strongly recommend you use [ActiveMQ 5.x](projects/classic) or [ActiveMQ Artemis](projects/artemis) instead.** + +Details of security problems fixed in released versions of Apache ActiveMQ Apollo are detailed below. + +See the main [Security Advisories](security-advisories) page for details for other components and general information such as reporting new issues. + +#### 2014 +* [CVE-2014-3579](security-advisories.data/CVE-2014-3579-announcement.txt?version=1&modificationDate=1423054118000&api=v2) - ActiveMQ Apollo XXE with XPath selectors + + + diff --git a/src/security-advisories.data/CVE-2016-4978-announcement.txt b/src/security-advisories.data/CVE-2016-4978-announcement.txt new file mode 100644 index 0000000..2af3a40 --- /dev/null +++ b/src/security-advisories.data/CVE-2016-4978-announcement.txt @@ -0,0 +1,56 @@ +[CVE-2016-4978] Apache ActiveMQ Artemis: Deserialization of untrusted input vunerability + +Severity: Important + +Vendor: The Apache Software Foundation + +Versions Affected: Apache Artemis 1.0.0, 1.1.0, 1.2.0, 1.3.0 + +A class implementing the Serializable interface is free to implement +the “readObject(java.io.ObjectInputStream +in)” method however it chooses. This readObject method is used during the +deserialization process, when constructing a java object from a serialized +byte stream. It is possible to implement the method in such a way that can +result in java code being executed during the deserialization of an object +of this class (gadget class). + +The JMS specification outlines a getObject() method on the +javax.jms.ObjectMessage +class. The Apache Artemis implementation of this method allows +deserialization of objects, from untrusted input. There are several places +where Apache Artemis uses this getObject() method. In the JMS Core client, +the Artemis broker and the Artemis REST component. These Artemis components +may therefore be vulnerable to a remote code execution attack. Successful +exploitations of this vulnerability rely on these "gadget classes" being +present on the Artemis classpath and the sender of the untrusted input +being authenticated and authorized to send messages to the Artemis broker. + +The code execution exploit may happen under the following circumstances: + +· In the JMS client when consuming an object message. + +· In the REST module when a REST client requests to consume a message that +was originally sent as an object message (cross protocol). + +· In the Artemis management layer, when a client sends an object message to +a management address. + +· On the broker when an AMQP client consumes a message that was originally +sent as an object message (cross protocol). + +For this exploit to occur the sender of the compromised message needs to be +authenticated and authorized in order to send the message to the Artemis +broker and affected classes (gadget classes) present on the Artemis class +path. + +Mitigation: +To secure the Apache Artemis broker and management layer: +** Upgrade to 1.4.0. + +For the Apache Artemis REST module and Apache Artemis JMS client. +** Upgrade to Apache Artemis 1.4.0 +** Configure the appropriate deserialization white/black lists as outlined +in the Artemis documentation. + +Credit: This issue was discovered by Matthias Kaiser of Code White ( +www.code-white.com) diff --git a/src/security-advisories.data/CVE-2017-12174-announcement.txt b/src/security-advisories.data/CVE-2017-12174-announcement.txt new file mode 100644 index 0000000..06d9091 --- /dev/null +++ b/src/security-advisories.data/CVE-2017-12174-announcement.txt @@ -0,0 +1,26 @@ +CVE-2017-12174: Memory exhaustion via UDP and JGroups discovery + +Severity: High + +Vendor: The Apache Software Foundation + +Versions Affected: 1.0.0, 1.1.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.5.1, +1.5.2, 1.5.3, 1.5.4, 1.5.5, 2.0.0, 2.1.0, 2.2.0, 2.3.0 + +Description: + +If an Apache Artemis broker is configured with discovery enabled (either +UDP or JGroups), on receiving of a packet over a discovery endpoint, Apache +Artemis will attempt to decode the packet and as part of it an encoded +simple string. The first four bytes of the encoded simple string represent +it's length. During the decoding process Apache Artemis will create a byte +array of the same length. It is possible therefore to send a manipulated +packet to Apache Artemis with a very large integer in the first four bytes +of the simple string encoding. Upon receiving the packet the broker will +attempt to allocate a byte array of this large size. This could result in +heap memory exhaustion, full GC or in the worst case an unrecoverable +OutOfMemoryError, resulting in loss of service. + +Mitigation: Upgrade to Apache Artemis 1.5.6 or 2.4.0 + +Credit: This issue was discovered by Bharti Kundal of Red Hat Inc. diff --git a/src/security-advisories.md b/src/security-advisories.md index 67b1dd6..abc9b83 100644 --- a/src/security-advisories.md +++ b/src/security-advisories.md @@ -1,47 +1,34 @@ --- layout: default_md -title: Security Advisories -title-class: page-title-activemq5 -type: activemq5 +title: Security Advisories +title-class: page-title-main +type: main --- -[Community](community) > [Security Advisories](security-advisories) +#### Prior updates +Details of security problems fixed in released versions of individual Apache +ActiveMQ components are detailed at: -Apache ActiveMQ ---------------- +* [ActiveMQ 5](projects/classic/security) +* [ActiveMQ Artemis](projects/artemis/security) +* [ActiveMQ Apollo](security-advisories-apollo) -#### 2019 -* [CVE-2019-0222](security-advisories.data/CVE-2019-0222-announcement.txt) - Corrupt MQTT frame can cause broker shutdown +#### Reporting new security problems with Apache ActiveMQ components -#### 2018 -* [CVE-2018-8006](security-advisories.data/CVE-2018-8006-announcement.txt) - ActiveMQ Web Console - Cross-Site Scripting -* [CVE-2017-15709](security-advisories.data/CVE-2017-15709-announcement.txt) - Information Leak -* [CVE-2018-11775](security-advisories.data/CVE-2018-11775-announcement.txt) - Missing TLS Hostname Verification +We strongly encourage people to report security problems privately, using the +security mailing list of the ASF Security Team, before disclosing them in a +public forum. -#### 2017 -* [CVE-2015-7559](security-advisories.data/CVE-2015-7559-announcement.txt) - DoS in client via shutdown command - -#### 2016 -* [CVE-2016-6810](security-advisories.data/CVE-2016-6810-announcement.txt) - ActiveMQ Web Console - Cross-Site Scripting -* [CVE-2016-0734](security-advisories.data/CVE-2016-0734-announcement.txt) - ActiveMQ Web Console - Clickjacking -* [CVE-2016-0782](security-advisories.data/CVE-2016-0782-announcement.txt) - ActiveMQ Web Console - Cross-Site Scripting -* [CVE-2016-3088](security-advisories.data/CVE-2016-3088-announcement.txt) - ActiveMQ Fileserver web application vulnerabilities +Please see the [ASF Security Team](https://www.apache.org/security/) pages +for contact information and further detail on the process. -#### 2015 -* [CVE-2015-5254](security-advisories.data/CVE-2015-5254-announcement.txt) - Unsafe deserialization in ActiveMQ -* [CVE-2015-1830](security-advisories.data/CVE-2015-1830-announcement.txt) - Path traversal leading to unauthenticated RCE in ActiveMQ - -#### 2014 -* [CVE-2014-3576](security-advisories.data/CVE-2014-3576-announcement.txt) - Remote Unauthenticated Shutdown of Broker (DoS) -* [CVE-2014-3600](security-advisories.data/CVE-2014-3600-announcement.txt) - Apache ActiveMQ XXE with XPath selectors -* [CVE-2014-3612](security-advisories.data/CVE-2014-3612-announcement.txt) - ActiveMQ JAAS: LDAPLoginModule allows empty password authentication and Wildcard Interpretation -* [CVE-2014-8110](security-advisories.data/CVE-2014-8110-announcement.txt) - ActiveMQ Web Console - Cross-Site Scripting - - -ActiveMQ Apollo ---------------- -#### 2014 -* [CVE-2014-3579](security-advisories.data/CVE-2014-3579-announcement.txt?version=1&modificationDate=1423054118000&api=v2) - ActiveMQ Apollo XXE with XPath selectors +The ASF Security Team cannot accept regular bug reports or other queries, +mail sent to tthem which does not relate to security problems in Apache +software will be ignored. +General questions such as those about using ActiveMQ components, or whether an +exiting published vulnerability applies to your application, etc, should be +addressed to our regular channels, e.g the users mailing list. Please see the +[Contact page](contact) for details of how to subscribe.