Thank you Mark, I already know that. Regards, r00t4dm Cloud-Penetrating Arrow Lab of Meituan Corp Information Security Department
> 2020年12月23日 下午3:44,Apache Security Team <[email protected]> 写道: > > Dear r00t4dm; > > Jonathan from Tomee PMC has already responded to you: We do not > provide further help or guidance to verify vulnerabilities. We use > [email protected] only for the reporting of new vulnerabilities. > > Best Regards, Mark. > > On Wed, Dec 23, 2020 at 4:32 AM r00t 4dm <[email protected]> wrote: >> >> Ok, Thanks for you help, maybe I need waiting the security team reply this >> email. >> Lastnight I saw this vulnerability, Let me learn a lot. >> Five days age, I saw this vulnerability public in oss-security, I begin read >> code from TomEE. >> I sure I read the VMTransportFactory.java I think the >> VMTransportFactory.java have security vulnerability, because the >> VMTransportFactory start brokerService ManagementContext doesn’t control. >> But I don’t know how to execution my code into the VMTransportFactory.java >> flow. >> About this question, if you have some time, please tell me. >> >> Regards, r00t4dm >> Cloud-Penetrating Arrow Lab of Meituan Corp Information Security Department >> >>> 2020年12月23日 上午1:18,Jonathan Gallimore <[email protected]> 写道: >>> >>>> maybe i wanna publish this vulnerable fully details in >>>> https://paper.seebug.org/category/404team-en/ >>>> i want to more Security researcher to learning this vulnerable. >>> >>> I've CC'd in the security email, in case they have a view on it. There's a >>> bit of a delicate balance. In terms of the information the project itself >>> gives out, we'd want to enable users to ensure they are not vulnerable >>> whilst at same time not giving too much information to people who may wish >>> to use it maliciously. Given that I worked on this, I'd probably be well >>> placed to do a writeup on the issue myself. >>> >>>> by the way, i wanna to ask for you one questions. >>>> i'm 23 years old, I want to one day in the future join in apache security >>>> PMC. >>>> What efforts do I need to make to join? >>> >>> Again, probably a question for the security team, rather than me (I'm not a >>> member of the security team), but I'd suggest the following: >>> >>> * Start by reading this: https://www.apache.org/security/committers.html - >>> this has the vulnerability disclosure process, and details the process by >>> which a vulnerability is disclosed, fixed and released for ASF projects. >>> * Ensure anything you disclose for ASF projects follows that process >>> * Work with the projects to fix any issues; provide PRs, participate on the >>> mailing lists >>> * There's a large number of projects at the ASF, maybe pick a couple and >>> join their communities. TomEE is interesting as it brings a number of other >>> ASF projects together to produce a server targeting the Java EE / Jakarta >>> EE webprofile. Vulnerabilities in those projects may or may not have an >>> affect on TomEE as well. >>> >>> Jon >>> >>> On Tue, Dec 22, 2020 at 4:55 PM r00t 4dm <[email protected]> wrote: >>> Hi, >>> >>> by the way, i wanna to ask for you one questions. >>> i'm 23 years old, I want to one day in the future join in apache security >>> PMC. >>> What efforts do I need to make to join? >>> >>> r00t4dm >>> A-TEAM of Legendsec at Qi'anxin Group >>> >>> >>> r00t 4dm <[email protected]> 于2020年12月23日周三 上午12:50写道: >>> maybe i wanna publish this vulnerable fully details in >>> https://paper.seebug.org/category/404team-en/ >>> i want to more Security researcher to learning this vulnerable. >>> >>> r00t4dm >>> A-TEAM of Legendsec at Qi'anxin Group >>> >>> >>> Jonathan Gallimore <[email protected]> 于2020年12月23日周三 上午12:43写道: >>> Specifically, what it is you're looking to publish, and where? >>> >>> Jon >>> >>> On Tue, Dec 22, 2020 at 4:35 PM r00t 4dm <[email protected]> wrote: >>> Hi, >>> >>> I using testcase >>> https://github.com/apache/tomee/commit/a2a06604f5d4e92e34c84715a30d03d3e7121fd1 >>> i found how to open 1099 port, if i fully success, i can make this >>> vulnerable public? >>> >>> r00t4dm >>> A-TEAM of Legendsec at Qi'anxin Group >>> >>> >>> r00t 4dm <[email protected]> 于2020年12月23日周三 上午12:03写道: >>> Hi, >>> >>> Thank for you reply, i really want to know what configuration can open it >>> 1099 port, I worked on this vulnerable for five days, Still nothing came of >>> it. >>> I tested: >>> >>> 1. >>> >>> <?xml version="1.0" encoding="UTF-8"?> >>> <tomee> >>> <!-- see http://tomee.apache.org/containers-and-resources.html --> >>> >>> <!-- activate next line to be able to deploy applications in apps --> >>> <!-- <Deployments dir="apps" /> --> >>> >>> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter"> >>> BrokerXmlConfig=broker:(vm://broker)?useJmx=true >>> ServerUrl=vm://broker?create=true >>> </Resource> >>> </tomee> >>> >>> 2. >>> >>> <?xml version="1.0" encoding="UTF-8"?> >>> <tomee> >>> <!-- see http://tomee.apache.org/containers-and-resources.html --> >>> >>> <!-- activate next line to be able to deploy applications in apps --> >>> <Deployments dir="apps" /> >>> >>> >>> <Resource id="MyJmsResourceAdapter" type="ActiveMQResourceAdapter"> >>> BrokerXmlConfig=broker:(tcp://localhost:61616,network:static:tcp://10.211.55.2:61616)?useJmx=true >>> ServerUrl=vm://localhost?create=true >>> </Resource> >>> >>> <Resource id="MyJmsConnectionFactory" type="javax.jms.ConnectionFactory"> >>> ResourceAdapter = MyJmsResourceAdapter >>> </Resource> >>> >>> >>> <Container id="MyJmsMdbContainer" ctype="MESSAGE"> >>> ResourceAdapter = MyJmsResourceAdapter >>> </Container> >>> >>> <Resource id="FooQueue" type="javax.jms.Queue"/> >>> <Resource id="BarTopic" type="javax.jms.Topic"/> >>> >>> </tomee> >>> >>> and more and more... >>> >>> but they all faild. >>> >>> Can you give me more details? Or is there any other way to get more details? >>> I think the vulnerable has been fixed. Can we make it public? i just want >>> to learning... >>> >>> r00t4dm >>> A-TEAM of Legendsec at Qi'anxin Group >>> >>> >>> Jonathan Gallimore <[email protected]> 于2020年12月22日周二 下午9:55写道: >>> Hi, >>> >>> Thanks for your email about this issue. I've snipped out the images from >>> your email below, as they make the message quite large and cause some mail >>> lists to reject the message. >>> >>> When I received your email, I did do a check with a fresh vanilla TomEE >>> 7.1.3, with a simple application deployed, and a vulnerable configuration. >>> A JMX port was opened on tcp/1099 without authentication, so I can confirm >>> that TomEE 7.1.3 is vulnerable to this issue. We worked quite extensively >>> with the reporter to validate and reproduce the issue. >>> >>> There are a couple of things to note: >>> >>> * CVE-2020-13931 is the result of an incomplete fix for CVE-2020-11969, and >>> specifically there is an edge-case that will cause this port to be opened up >>> * The edge-case we saw can be mitigated through a configuration change or >>> by upgrading. >>> * The configuration error was a simple error to make, and having an >>> unwanted, unauthenticated JMX port open when it wasn't explicitly >>> configured, so a further patch was worthwhile (hence the further CVE). >>> There may be other usages of the server which may also have exposed this >>> issue. >>> >>> I hope that answers your queries. We don't give out vulnerable >>> configurations or specific reproduction steps for security issues. If you >>> have follow-up questions for this, I'd encourage you to post on the >>> [email protected] or [email protected] mailing lists. If you have >>> other security related issues to report, [email protected] is the address >>> to report them (CC'd). >>> >>> Kind Regards >>> >>> Jon >>> >>> >>> On Mon, Dec 21, 2020 at 2:37 PM r00t 4dm <[email protected]> wrote: >>> Hello, >>> >>> in 2020/12/17 in oss-security email i see the [oss-security] CVE-2020-13931 >>> Apache TomEE - Incorrect config on JMS Resource Adapter can lead to JMX >>> being enabled this email >>> >>> here is the content about this email: >>> >>> Severity: High >>> Vendor: The Apache Software Foundation >>> Versions Affected: >>> Apache TomEE 8.0.0-M1 - 8.0.3 >>> Apache TomEE 7.1.0 - 7.1.3 >>> Apache TomEE 7.0.0-M1 - 7.0.8 >>> Apache TomEE 1.0.0 - 1.7.5 >>> Description: >>> If Apache TomEE is configured to use the embedded ActiveMQ broker, and the >>> broker config is misconfigured, a JMX port is opened on TCP port 1099, >>> which does not include authentication. CVE-2020-11969 previously addressed >>> the creation of the JMX management interface, however the incomplete fix >>> did not cover this edge case. >>> Mitigation: >>> - Upgrade to TomEE 7.0.9 or later >>> - Upgrade to TomEE 7.1.4 or later >>> - Upgrade to TomEE 8.0.4 or later >>> Ensure the correct VM broker name is used consistently across the resource >>> adapter config. >>> Credit: Thanks to Frans Henskens for discovering and reporting this issue. >>> >>> So, I using TomEE 7.1.3 to test this vulnerability, i found this >>> vulnerability is Fake. >>> The Frans Henskens have some wrong. >>> >>> tomee.xml >>> >>> <?xml version="1.0" encoding="UTF-8"?> >>> <tomee> >>> <!-- see http://tomee.apache.org/containers-and-resources.html --> >>> >>> <!-- activate next line to be able to deploy applications in apps --> >>> <!-- <Deployments dir="apps" /> --> >>> >>> <Resource id="Foo" type="ActiveMQResourceAdapter"> >>> BrokerXmlConfig=broker:(vm://localhost:61616) >>> ServerUrl = vm://localhost?async=true >>> </Resource> >>> </tomee> >>> >>> i use this to startup tomee 7.1.3. >>> >>> about CVE-2020-11969 security patch code in ActiveMQ5Factory.java >>> This is done before start (managementContext.etCreateConnector(false);) >>> >>> So, let me see >>> it can't call createConnector() function, because before start() is already >>> managementContext.setCreateConnector(false); >>> So the 1099 An unauthorized JMX service will not be enabled. >>> CVE-2020-13931 is Fake vulnerability >>> >>> >>> >>> >>> Did you test exactly what he said was a safety issue? >>> Looking forward to your reply. >>> >>> r00t4dm >>> A-TEAM of Legendsec at Qi'anxin Group >>
