Re: CVE-2020-13931 is Fake vulnerability
Dear r00t4dm; Jonathan from Tomee PMC has already responded to you: We do not provide further help or guidance to verify vulnerabilities. We use secur...@apache.org only for the reporting of new vulnerabilities. Best Regards, Mark. On Wed, Dec 23, 2020 at 4:32 AM r00t 4dm wrote: > > Ok, Thanks for you help, maybe I need waiting the security team reply this > email. > Lastnight I saw this vulnerability, Let me learn a lot. > Five days age, I saw this vulnerability public in oss-security, I begin read > code from TomEE. > I sure I read the VMTransportFactory.java I think the VMTransportFactory.java > have security vulnerability, because the VMTransportFactory start > brokerService ManagementContext doesn’t control. > But I don’t know how to execution my code into the VMTransportFactory.java > flow. > About this question, if you have some time, please tell me. > > Regards, r00t4dm > Cloud-Penetrating Arrow Lab of Meituan Corp Information Security Department > > > 2020年12月23日 上午1:18,Jonathan Gallimore 写道: > > > > > maybe i wanna publish this vulnerable fully details in > > > https://paper.seebug.org/category/404team-en/ > > > i want to more Security researcher to learning this vulnerable. > > > > I've CC'd in the security email, in case they have a view on it. There's a > > bit of a delicate balance. In terms of the information the project itself > > gives out, we'd want to enable users to ensure they are not vulnerable > > whilst at same time not giving too much information to people who may wish > > to use it maliciously. Given that I worked on this, I'd probably be well > > placed to do a writeup on the issue myself. > > > > > by the way, i wanna to ask for you one questions. > > > i'm 23 years old, I want to one day in the future join in apache security > > > PMC. > > > What efforts do I need to make to join? > > > > Again, probably a question for the security team, rather than me (I'm not a > > member of the security team), but I'd suggest the following: > > > > * Start by reading this: https://www.apache.org/security/committers.html - > > this has the vulnerability disclosure process, and details the process by > > which a vulnerability is disclosed, fixed and released for ASF projects. > > * Ensure anything you disclose for ASF projects follows that process > > * Work with the projects to fix any issues; provide PRs, participate on the > > mailing lists > > * There's a large number of projects at the ASF, maybe pick a couple and > > join their communities. TomEE is interesting as it brings a number of other > > ASF projects together to produce a server targeting the Java EE / Jakarta > > EE webprofile. Vulnerabilities in those projects may or may not have an > > affect on TomEE as well. > > > > Jon > > > > On Tue, Dec 22, 2020 at 4:55 PM r00t 4dm wrote: > > Hi, > > > > by the way, i wanna to ask for you one questions. > > i'm 23 years old, I want to one day in the future join in apache security > > PMC. > > What efforts do I need to make to join? > > > > r00t4dm > > A-TEAM of Legendsec at Qi'anxin Group > > > > > > r00t 4dm 于2020年12月23日周三 上午12:50写道: > > maybe i wanna publish this vulnerable fully details in > > https://paper.seebug.org/category/404team-en/ > > i want to more Security researcher to learning this vulnerable. > > > > r00t4dm > > A-TEAM of Legendsec at Qi'anxin Group > > > > > > Jonathan Gallimore 于2020年12月23日周三 上午12:43写道: > > Specifically, what it is you're looking to publish, and where? > > > > Jon > > > > On Tue, Dec 22, 2020 at 4:35 PM r00t 4dm wrote: > > Hi, > > > > I using testcase > > https://github.com/apache/tomee/commit/a2a06604f5d4e92e34c84715a30d03d3e7121fd1 > > i found how to open 1099 port, if i fully success, i can make this > > vulnerable public? > > > > r00t4dm > > A-TEAM of Legendsec at Qi'anxin Group > > > > > > r00t 4dm 于2020年12月23日周三 上午12:03写道: > > Hi, > > > > Thank for you reply, i really want to know what configuration can open it > > 1099 port, I worked on this vulnerable for five days, Still nothing came of > > it. > > I tested: > > > > 1. > > > > > > > > > > > > > > > > > > > > BrokerXmlConfig=broker:(vm://broker)?useJmx=true > > ServerUrl=vm://broker?create=true > > > > > > > > 2. > > > > > > > > > > > > > > > > > > > > > > BrokerXmlConfig=broker:(tcp://localhost:61616,network:static:tcp://10.211.55.2:61616)?useJmx=true > > ServerUrl=vm://localhost?create=true > > > > > > > > ResourceAdapter = MyJmsResourceAdapter > > > > > > > > > > ResourceAdapter = MyJmsResourceAdapter > > > > > > > > > > > > > > > > and more and more... > > > > but they all faild. > > > > Can you give me more details? Or is there any other way to get more details? > > I think the vulnerable has been fixed. Can we make it public? i just want > > to learning... > > > > r00t4dm > > A-TEAM of Legendsec at Qi'anxin Group > > > > > > Jonathan Gallimore 于2020年12月22日周二 下午9:55写道: > > Hi, > > > >
Re: CVE-2020-13931 is Fake vulnerability
> maybe i wanna publish this vulnerable fully details in https://paper.seebug.org/category/404team-en/ > i want to more Security researcher to learning this vulnerable. I've CC'd in the security email, in case they have a view on it. There's a bit of a delicate balance. In terms of the information the project itself gives out, we'd want to enable users to ensure they are not vulnerable whilst at same time not giving too much information to people who may wish to use it maliciously. Given that I worked on this, I'd probably be well placed to do a writeup on the issue myself. > by the way, i wanna to ask for you one questions. > i'm 23 years old, I want to one day in the future join in apache security PMC. > What efforts do I need to make to join? Again, probably a question for the security team, rather than me (I'm not a member of the security team), but I'd suggest the following: * Start by reading this: https://www.apache.org/security/committers.html - this has the vulnerability disclosure process, and details the process by which a vulnerability is disclosed, fixed and released for ASF projects. * Ensure anything you disclose for ASF projects follows that process * Work with the projects to fix any issues; provide PRs, participate on the mailing lists * There's a large number of projects at the ASF, maybe pick a couple and join their communities. TomEE is interesting as it brings a number of other ASF projects together to produce a server targeting the Java EE / Jakarta EE webprofile. Vulnerabilities in those projects may or may not have an affect on TomEE as well. Jon On Tue, Dec 22, 2020 at 4:55 PM r00t 4dm wrote: > Hi, > > by the way, i wanna to ask for you one questions. > i'm 23 years old, I want to one day in the future join in apache security > PMC. > What efforts do I need to make to join? > > r00t4dm > A-TEAM of Legendsec at Qi'anxin Group > > > r00t 4dm 于2020年12月23日周三 上午12:50写道: > >> maybe i wanna publish this vulnerable fully details in >> https://paper.seebug.org/category/404team-en/ >> i want to more Security researcher to learning this vulnerable. >> >> r00t4dm >> A-TEAM of Legendsec at Qi'anxin Group >> >> >> Jonathan Gallimore 于2020年12月23日周三 上午12:43写道: >> >>> Specifically, what it is you're looking to publish, and where? >>> >>> Jon >>> >>> On Tue, Dec 22, 2020 at 4:35 PM r00t 4dm wrote: >>> Hi, I using testcase https://github.com/apache/tomee/commit/a2a06604f5d4e92e34c84715a30d03d3e7121fd1 i found how to open 1099 port, if i fully success, i can make this vulnerable public? r00t4dm A-TEAM of Legendsec at Qi'anxin Group r00t 4dm 于2020年12月23日周三 上午12:03写道: > Hi, > > Thank for you reply, i really want to know what configuration can open > it 1099 port, I worked on this vulnerable for five days, Still nothing > came > of it. > I tested: > > 1. > > > > > > > > > > BrokerXmlConfig=broker:(vm://broker)?useJmx=true > ServerUrl=vm://broker?create=true > > > > 2. > > > > > > > > > > > > BrokerXmlConfig=broker:(tcp://localhost:61616,network:static:tcp://10.211.55.2:61616 > )?useJmx=true > ServerUrl=vm://localhost?create=true > > > type="javax.jms.ConnectionFactory"> > ResourceAdapter = MyJmsResourceAdapter > > > > > ResourceAdapter = MyJmsResourceAdapter > > > > > > > > and more and more... > > but they all faild. > > Can you give me more details? Or is there any other way to get more > details? > I think the vulnerable has been fixed. Can we make it public? i just > want to learning... > > r00t4dm > A-TEAM of Legendsec at Qi'anxin Group > > > Jonathan Gallimore 于2020年12月22日周二 下午9:55写道: > >> Hi, >> >> Thanks for your email about this issue. I've snipped out the images >> from your email below, as they make the message quite large and cause >> some >> mail lists to reject the message. >> >> When I received your email, I did do a check with a fresh vanilla >> TomEE 7.1.3, with a simple application deployed, and a vulnerable >> configuration. A JMX port was opened on tcp/1099 without authentication, >> so >> I can confirm that TomEE 7.1.3 is vulnerable to this issue. We worked >> quite >> extensively with the reporter to validate and reproduce the issue. >> >> There are a couple of things to note: >> >> * CVE-2020-13931 is the result of an incomplete fix for >> CVE-2020-11969, and specifically there is an edge-case that will cause >> this >> port to be opened up >> * The edge-case we saw can be mitigated through a configuration >> change or by upgrading. >> * The configuration error
Re: CVE-2020-13931 is Fake vulnerability
Specifically, what it is you're looking to publish, and where? Jon On Tue, Dec 22, 2020 at 4:35 PM r00t 4dm wrote: > Hi, > > I using testcase > https://github.com/apache/tomee/commit/a2a06604f5d4e92e34c84715a30d03d3e7121fd1 > i found how to open 1099 port, if i fully success, i can make this > vulnerable public? > > r00t4dm > A-TEAM of Legendsec at Qi'anxin Group > > > r00t 4dm 于2020年12月23日周三 上午12:03写道: > >> Hi, >> >> Thank for you reply, i really want to know what configuration can open it >> 1099 port, I worked on this vulnerable for five days, Still nothing came of >> it. >> I tested: >> >> 1. >> >> >> >> >> >> >> >> >> >> BrokerXmlConfig=broker:(vm://broker)?useJmx=true >> ServerUrl=vm://broker?create=true >> >> >> >> 2. >> >> >> >> >> >> >> >> >> >> >> >> BrokerXmlConfig=broker:(tcp://localhost:61616,network:static:tcp://10.211.55.2:61616 >> )?useJmx=true >> ServerUrl=vm://localhost?create=true >> >> >> >> ResourceAdapter = MyJmsResourceAdapter >> >> >> >> >> ResourceAdapter = MyJmsResourceAdapter >> >> >> >> >> >> >> >> and more and more... >> >> but they all faild. >> >> Can you give me more details? Or is there any other way to get more >> details? >> I think the vulnerable has been fixed. Can we make it public? i just want >> to learning... >> >> r00t4dm >> A-TEAM of Legendsec at Qi'anxin Group >> >> >> Jonathan Gallimore 于2020年12月22日周二 下午9:55写道: >> >>> Hi, >>> >>> Thanks for your email about this issue. I've snipped out the images from >>> your email below, as they make the message quite large and cause some mail >>> lists to reject the message. >>> >>> When I received your email, I did do a check with a fresh vanilla TomEE >>> 7.1.3, with a simple application deployed, and a vulnerable configuration. >>> A JMX port was opened on tcp/1099 without authentication, so I can confirm >>> that TomEE 7.1.3 is vulnerable to this issue. We worked quite extensively >>> with the reporter to validate and reproduce the issue. >>> >>> There are a couple of things to note: >>> >>> * CVE-2020-13931 is the result of an incomplete fix for CVE-2020-11969, >>> and specifically there is an edge-case that will cause this port to be >>> opened up >>> * The edge-case we saw can be mitigated through a configuration change >>> or by upgrading. >>> * The configuration error was a simple error to make, and having an >>> unwanted, unauthenticated JMX port open when it wasn't >>> explicitly configured, so a further patch was worthwhile (hence the further >>> CVE). There may be other usages of the server which may also have exposed >>> this issue. >>> >>> I hope that answers your queries. We don't give out vulnerable >>> configurations or specific reproduction steps for security issues. If you >>> have follow-up questions for this, I'd encourage you to post on the >>> us...@tomee.apache.org or dev@tomee.apache.org mailing lists. If you >>> have other security related issues to report, secur...@apache.org is >>> the address to report them (CC'd). >>> >>> Kind Regards >>> >>> Jon >>> >>> >>> On Mon, Dec 21, 2020 at 2:37 PM r00t 4dm wrote: >>> Hello, in 2020/12/17 in oss-security email i see the [oss-security] CVE-2020-13931 Apache TomEE - Incorrect config on JMS Resource Adapter can lead to JMX being enabled this email here is the content about this email: Severity: High > Vendor: The Apache Software Foundation > Versions Affected: > Apache TomEE 8.0.0-M1 - 8.0.3 > Apache TomEE 7.1.0 - 7.1.3 > Apache TomEE 7.0.0-M1 - 7.0.8 > Apache TomEE 1.0.0 - 1.7.5 > Description: > If Apache TomEE is configured to use the embedded ActiveMQ broker, and > the > broker config is misconfigured, a JMX port is opened on TCP port 1099, > which does not include authentication. CVE-2020-11969 previously > addressed > the creation of the JMX management interface, however the incomplete > fix > did not cover this edge case. > Mitigation: > - Upgrade to TomEE 7.0.9 or later > - Upgrade to TomEE 7.1.4 or later > - Upgrade to TomEE 8.0.4 or later > Ensure the correct VM broker name is used consistently across the > resource > adapter config. > Credit: Thanks to Frans Henskens for discovering and reporting this > issue. So, I using TomEE 7.1.3 to test this vulnerability, i found this vulnerability is Fake. The Frans Henskens have some wrong. tomee.xml BrokerXmlConfig=broker:(vm://localhost:61616) ServerUrl = vm://localhost?async=true i use this to startup tomee 7.1.3. about CVE-2020-11969 security patch code in ActiveMQ5Factory.java This is done before start (managementContext.etCreateConnector(false);) So, let me see it can't call createConnector() function, because before start() is
Re: CVE-2020-13931 is Fake vulnerability
Hi Jonathan That's a perfect approach and reply suggestion, go for it! I wonder too sometimes if this is a tactic in order for a lazy researcher to try to gain a reproducer. (I wouldn't worry about cc'ing in private@tomee though, you probably don't want to get that list too polluted, dev/user list is fine for followups). Regards, Mark J Cox ASF Security
