I would like to say I have not followed this thread. I am only responding because I saw port 1099 mentioned.
This is the default port for RMI to look up objects. You can change the security manually in $JAVA_HOME/jre/lib/security/java.security or programmatically. Z. https://www.backbutton.co.uk/ ¯\_(ツ)_/¯ ♡۶♡۶ ♡۶ On Wed, 23 Dec 2020, 07:44 Apache Security Team, <secur...@apache.org> wrote: > Dear r00t4dm; > > Jonathan from Tomee PMC has already responded to you: We do not > provide further help or guidance to verify vulnerabilities. We use > secur...@apache.org only for the reporting of new vulnerabilities. > > Best Regards, Mark. > > On Wed, Dec 23, 2020 at 4:32 AM r00t 4dm <r00t...@gmail.com> wrote: > > > > Ok, Thanks for you help, maybe I need waiting the security team reply > this email. > > Lastnight I saw this vulnerability, Let me learn a lot. > > Five days age, I saw this vulnerability public in oss-security, I begin > read code from TomEE. > > I sure I read the VMTransportFactory.java I think the > VMTransportFactory.java have security vulnerability, because the > VMTransportFactory start brokerService ManagementContext doesn’t control. > > But I don’t know how to execution my code into the > VMTransportFactory.java flow. > > About this question, if you have some time, please tell me. > > > > Regards, r00t4dm > > Cloud-Penetrating Arrow Lab of Meituan Corp Information Security > Department > > > > > 2020年12月23日 上午1:18,Jonathan Gallimore <jgallim...@apache.org> 写道: > > > > > > > maybe i wanna publish this vulnerable fully details in > https://paper.seebug.org/category/404team-en/ > > > > i want to more Security researcher to learning this vulnerable. > > > > > > I've CC'd in the security email, in case they have a view on it. > There's a bit of a delicate balance. In terms of the information the > project itself gives out, we'd want to enable users to ensure they are not > vulnerable whilst at same time not giving too much information to people > who may wish to use it maliciously. Given that I worked on this, I'd > probably be well placed to do a writeup on the issue myself. > > > > > > > by the way, i wanna to ask for you one questions. > > > > i'm 23 years old, I want to one day in the future join in apache > security PMC. > > > > What efforts do I need to make to join? > > > > > > Again, probably a question for the security team, rather than me (I'm > not a member of the security team), but I'd suggest the following: > > > > > > * Start by reading this: > https://www.apache.org/security/committers.html - this has the > vulnerability disclosure process, and details the process by which a > vulnerability is disclosed, fixed and released for ASF projects. > > > * Ensure anything you disclose for ASF projects follows that process > > > * Work with the projects to fix any issues; provide PRs, participate > on the mailing lists > > > * There's a large number of projects at the ASF, maybe pick a couple > and join their communities. TomEE is interesting as it brings a number of > other ASF projects together to produce a server targeting the Java EE / > Jakarta EE webprofile. Vulnerabilities in those projects may or may not > have an affect on TomEE as well. > > > > > > Jon > > > > > > On Tue, Dec 22, 2020 at 4:55 PM r00t 4dm <r00t...@gmail.com> wrote: > > > Hi, > > > > > > by the way, i wanna to ask for you one questions. > > > i'm 23 years old, I want to one day in the future join in apache > security PMC. > > > What efforts do I need to make to join? > > > > > > r00t4dm > > > A-TEAM of Legendsec at Qi'anxin Group > > > > > > > > > r00t 4dm <r00t...@gmail.com> 于2020年12月23日周三 上午12:50写道: > > > maybe i wanna publish this vulnerable fully details in > https://paper.seebug.org/category/404team-en/ > > > i want to more Security researcher to learning this vulnerable. > > > > > > r00t4dm > > > A-TEAM of Legendsec at Qi'anxin Group > > > > > > > > > Jonathan Gallimore <jgallim...@apache.org> 于2020年12月23日周三 上午12:43写道: > > > Specifically, what it is you're looking to publish, and where? > > > > > > Jon > > > > > > On Tue, Dec 22, 2020 at 4:35 PM r00t 4dm <r00t...@gmail.com> wrote: > > > Hi, > > > > > > I using testcase > https://github.com/apache/tomee/commit/a2a06604f5d4e92e34c84715a30d03d3e7121fd1 > > > i found how to open 1099 port, if i fully success, i can make this > vulnerable public? > > > > > > r00t4dm > > > A-TEAM of Legendsec at Qi'anxin Group > > > > > > > > > r00t 4dm <r00t...@gmail.com> 于2020年12月23日周三 上午12:03写道: > > > Hi, > > > > > > Thank for you reply, i really want to know what configuration can open > it 1099 port, I worked on this vulnerable for five days, Still nothing came > of it. > > > I tested: > > > > > > 1. > > > > > > <?xml version="1.0" encoding="UTF-8"?> > > > <tomee> > > > <!-- see http://tomee.apache.org/containers-and-resources.html --> > > > > > > <!-- activate next line to be able to deploy applications in apps --> > > > <!-- <Deployments dir="apps" /> --> > > > > > > <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter"> > > > BrokerXmlConfig=broker:(vm://broker)?useJmx=true > > > ServerUrl=vm://broker?create=true > > > </Resource> > > > </tomee> > > > > > > 2. > > > > > > <?xml version="1.0" encoding="UTF-8"?> > > > <tomee> > > > <!-- see http://tomee.apache.org/containers-and-resources.html --> > > > > > > <!-- activate next line to be able to deploy applications in apps --> > > > <Deployments dir="apps" /> > > > > > > > > > <Resource id="MyJmsResourceAdapter" type="ActiveMQResourceAdapter"> > > > BrokerXmlConfig=broker:(tcp://localhost:61616,network:static:tcp:// > 10.211.55.2:61616)?useJmx=true > > > ServerUrl=vm://localhost?create=true > > > </Resource> > > > > > > <Resource id="MyJmsConnectionFactory" > type="javax.jms.ConnectionFactory"> > > > ResourceAdapter = MyJmsResourceAdapter > > > </Resource> > > > > > > > > > <Container id="MyJmsMdbContainer" ctype="MESSAGE"> > > > ResourceAdapter = MyJmsResourceAdapter > > > </Container> > > > > > > <Resource id="FooQueue" type="javax.jms.Queue"/> > > > <Resource id="BarTopic" type="javax.jms.Topic"/> > > > > > > </tomee> > > > > > > and more and more... > > > > > > but they all faild. > > > > > > Can you give me more details? Or is there any other way to get more > details? > > > I think the vulnerable has been fixed. Can we make it public? i just > want to learning... > > > > > > r00t4dm > > > A-TEAM of Legendsec at Qi'anxin Group > > > > > > > > > Jonathan Gallimore <jgallim...@apache.org> 于2020年12月22日周二 下午9:55写道: > > > Hi, > > > > > > Thanks for your email about this issue. I've snipped out the images > from your email below, as they make the message quite large and cause some > mail lists to reject the message. > > > > > > When I received your email, I did do a check with a fresh vanilla > TomEE 7.1.3, with a simple application deployed, and a vulnerable > configuration. A JMX port was opened on tcp/1099 without authentication, so > I can confirm that TomEE 7.1.3 is vulnerable to this issue. We worked quite > extensively with the reporter to validate and reproduce the issue. > > > > > > There are a couple of things to note: > > > > > > * CVE-2020-13931 is the result of an incomplete fix for > CVE-2020-11969, and specifically there is an edge-case that will cause this > port to be opened up > > > * The edge-case we saw can be mitigated through a configuration change > or by upgrading. > > > * The configuration error was a simple error to make, and having an > unwanted, unauthenticated JMX port open when it wasn't explicitly > configured, so a further patch was worthwhile (hence the further CVE). > There may be other usages of the server which may also have exposed this > issue. > > > > > > I hope that answers your queries. We don't give out vulnerable > configurations or specific reproduction steps for security issues. If you > have follow-up questions for this, I'd encourage you to post on the > us...@tomee.apache.org or dev@tomee.apache.org mailing lists. If you have > other security related issues to report, secur...@apache.org is the > address to report them (CC'd). > > > > > > Kind Regards > > > > > > Jon > > > > > > > > > On Mon, Dec 21, 2020 at 2:37 PM r00t 4dm <r00t...@gmail.com> wrote: > > > Hello, > > > > > > in 2020/12/17 in oss-security email i see the [oss-security] > CVE-2020-13931 Apache TomEE - Incorrect config on JMS Resource Adapter can > lead to JMX being enabled this email > > > > > > here is the content about this email: > > > > > > Severity: High > > > Vendor: The Apache Software Foundation > > > Versions Affected: > > > Apache TomEE 8.0.0-M1 - 8.0.3 > > > Apache TomEE 7.1.0 - 7.1.3 > > > Apache TomEE 7.0.0-M1 - 7.0.8 > > > Apache TomEE 1.0.0 - 1.7.5 > > > Description: > > > If Apache TomEE is configured to use the embedded ActiveMQ broker, and > the > > > broker config is misconfigured, a JMX port is opened on TCP port 1099, > > > which does not include authentication. CVE-2020-11969 previously > addressed > > > the creation of the JMX management interface, however the incomplete > fix > > > did not cover this edge case. > > > Mitigation: > > > - Upgrade to TomEE 7.0.9 or later > > > - Upgrade to TomEE 7.1.4 or later > > > - Upgrade to TomEE 8.0.4 or later > > > Ensure the correct VM broker name is used consistently across the > resource > > > adapter config. > > > Credit: Thanks to Frans Henskens for discovering and reporting this > issue. > > > > > > So, I using TomEE 7.1.3 to test this vulnerability, i found this > vulnerability is Fake. > > > The Frans Henskens have some wrong. > > > > > > tomee.xml > > > > > > <?xml version="1.0" encoding="UTF-8"?> > > > <tomee> > > > <!-- see http://tomee.apache.org/containers-and-resources.html --> > > > > > > <!-- activate next line to be able to deploy applications in apps --> > > > <!-- <Deployments dir="apps" /> --> > > > > > > <Resource id="Foo" type="ActiveMQResourceAdapter"> > > > BrokerXmlConfig=broker:(vm://localhost:61616) > > > ServerUrl = vm://localhost?async=true > > > </Resource> > > > </tomee> > > > > > > i use this to startup tomee 7.1.3. > > > > > > about CVE-2020-11969 security patch code in ActiveMQ5Factory.java > > > This is done before start (managementContext.etCreateConnector(false);) > > > > > > So, let me see > > > it can't call createConnector() function, because before start() is > already managementContext.setCreateConnector(false); > > > So the 1099 An unauthorized JMX service will not be enabled. > > > CVE-2020-13931 is Fake vulnerability > > > > > > > > > > > > > > > Did you test exactly what he said was a safety issue? > > > Looking forward to your reply. > > > > > > r00t4dm > > > A-TEAM of Legendsec at Qi'anxin Group > > >