Specifically, what it is you're looking to publish, and where? Jon
On Tue, Dec 22, 2020 at 4:35 PM r00t 4dm <[email protected]> wrote: > Hi, > > I using testcase > https://github.com/apache/tomee/commit/a2a06604f5d4e92e34c84715a30d03d3e7121fd1 > i found how to open 1099 port, if i fully success, i can make this > vulnerable public? > > r00t4dm > A-TEAM of Legendsec at Qi'anxin Group > > > r00t 4dm <[email protected]> 于2020年12月23日周三 上午12:03写道: > >> Hi, >> >> Thank for you reply, i really want to know what configuration can open it >> 1099 port, I worked on this vulnerable for five days, Still nothing came of >> it. >> I tested: >> >> 1. >> >> <?xml version="1.0" encoding="UTF-8"?> >> <tomee> >> <!-- see http://tomee.apache.org/containers-and-resources.html --> >> >> <!-- activate next line to be able to deploy applications in apps --> >> <!-- <Deployments dir="apps" /> --> >> >> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter"> >> BrokerXmlConfig=broker:(vm://broker)?useJmx=true >> ServerUrl=vm://broker?create=true >> </Resource> >> </tomee> >> >> 2. >> >> <?xml version="1.0" encoding="UTF-8"?> >> <tomee> >> <!-- see http://tomee.apache.org/containers-and-resources.html --> >> >> <!-- activate next line to be able to deploy applications in apps --> >> <Deployments dir="apps" /> >> >> >> <Resource id="MyJmsResourceAdapter" type="ActiveMQResourceAdapter"> >> >> BrokerXmlConfig=broker:(tcp://localhost:61616,network:static:tcp://10.211.55.2:61616 >> )?useJmx=true >> ServerUrl=vm://localhost?create=true >> </Resource> >> >> <Resource id="MyJmsConnectionFactory" type="javax.jms.ConnectionFactory"> >> ResourceAdapter = MyJmsResourceAdapter >> </Resource> >> >> >> <Container id="MyJmsMdbContainer" ctype="MESSAGE"> >> ResourceAdapter = MyJmsResourceAdapter >> </Container> >> >> <Resource id="FooQueue" type="javax.jms.Queue"/> >> <Resource id="BarTopic" type="javax.jms.Topic"/> >> >> </tomee> >> >> and more and more... >> >> but they all faild. >> >> Can you give me more details? Or is there any other way to get more >> details? >> I think the vulnerable has been fixed. Can we make it public? i just want >> to learning... >> >> r00t4dm >> A-TEAM of Legendsec at Qi'anxin Group >> >> >> Jonathan Gallimore <[email protected]> 于2020年12月22日周二 下午9:55写道: >> >>> Hi, >>> >>> Thanks for your email about this issue. I've snipped out the images from >>> your email below, as they make the message quite large and cause some mail >>> lists to reject the message. >>> >>> When I received your email, I did do a check with a fresh vanilla TomEE >>> 7.1.3, with a simple application deployed, and a vulnerable configuration. >>> A JMX port was opened on tcp/1099 without authentication, so I can confirm >>> that TomEE 7.1.3 is vulnerable to this issue. We worked quite extensively >>> with the reporter to validate and reproduce the issue. >>> >>> There are a couple of things to note: >>> >>> * CVE-2020-13931 is the result of an incomplete fix for CVE-2020-11969, >>> and specifically there is an edge-case that will cause this port to be >>> opened up >>> * The edge-case we saw can be mitigated through a configuration change >>> or by upgrading. >>> * The configuration error was a simple error to make, and having an >>> unwanted, unauthenticated JMX port open when it wasn't >>> explicitly configured, so a further patch was worthwhile (hence the further >>> CVE). There may be other usages of the server which may also have exposed >>> this issue. >>> >>> I hope that answers your queries. We don't give out vulnerable >>> configurations or specific reproduction steps for security issues. If you >>> have follow-up questions for this, I'd encourage you to post on the >>> [email protected] or [email protected] mailing lists. If you >>> have other security related issues to report, [email protected] is >>> the address to report them (CC'd). >>> >>> Kind Regards >>> >>> Jon >>> >>> >>> On Mon, Dec 21, 2020 at 2:37 PM r00t 4dm <[email protected]> wrote: >>> >>>> Hello, >>>> >>>> in 2020/12/17 in oss-security email i see the [oss-security] >>>> CVE-2020-13931 Apache TomEE - Incorrect config on JMS Resource Adapter can >>>> lead to JMX being enabled this email >>>> >>>> here is the content about this email: >>>> >>>> Severity: High >>>>> Vendor: The Apache Software Foundation >>>>> Versions Affected: >>>>> Apache TomEE 8.0.0-M1 - 8.0.3 >>>>> Apache TomEE 7.1.0 - 7.1.3 >>>>> Apache TomEE 7.0.0-M1 - 7.0.8 >>>>> Apache TomEE 1.0.0 - 1.7.5 >>>>> Description: >>>>> If Apache TomEE is configured to use the embedded ActiveMQ broker, and >>>>> the >>>>> broker config is misconfigured, a JMX port is opened on TCP port 1099, >>>>> which does not include authentication. CVE-2020-11969 previously >>>>> addressed >>>>> the creation of the JMX management interface, however the incomplete >>>>> fix >>>>> did not cover this edge case. >>>>> Mitigation: >>>>> - Upgrade to TomEE 7.0.9 or later >>>>> - Upgrade to TomEE 7.1.4 or later >>>>> - Upgrade to TomEE 8.0.4 or later >>>>> Ensure the correct VM broker name is used consistently across the >>>>> resource >>>>> adapter config. >>>>> Credit: Thanks to Frans Henskens for discovering and reporting this >>>>> issue. >>>> >>>> >>>> So, I using TomEE 7.1.3 to test this vulnerability, i found >>>> this vulnerability is Fake. >>>> The Frans Henskens have some wrong. >>>> >>>> tomee.xml >>>> >>>> <?xml version="1.0" encoding="UTF-8"?> >>>> <tomee> >>>> <!-- see http://tomee.apache.org/containers-and-resources.html --> >>>> >>>> <!-- activate next line to be able to deploy applications in apps --> >>>> <!-- <Deployments dir="apps" /> --> >>>> >>>> <Resource id="Foo" type="ActiveMQResourceAdapter"> >>>> BrokerXmlConfig=broker:(vm://localhost:61616) >>>> ServerUrl = vm://localhost?async=true >>>> </Resource> >>>> </tomee> >>>> >>>> i use this to startup tomee 7.1.3. >>>> >>>> about CVE-2020-11969 security patch code in ActiveMQ5Factory.java >>>> This is done before start (managementContext.etCreateConnector(false);) >>>> >>>> So, let me see >>>> it can't call createConnector() function, because before start() is >>>> already managementContext.setCreateConnector(false); >>>> So the 1099 An unauthorized JMX service will not be enabled. >>>> CVE-2020-13931 is Fake vulnerability >>>> >>>> >>>> >>>> >>>> Did you test exactly what he said was a safety issue? >>>> Looking forward to your reply. >>>> >>>> r00t4dm >>>> A-TEAM of Legendsec at Qi'anxin Group >>>> >>>
