[jira] [Commented] (AMQ-9197) Prototype Javascript Framework - CVE-2020-27511
[ https://issues.apache.org/jira/browse/AMQ-9197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17686168#comment-17686168 ] Nikhil commented on AMQ-9197: - Hi [~jbonofre] Thanks for the quick fix.. Do you have any timeline for the ActiveMQ 5.16.6 release ? I see that the last release of 5.16.x (I.e., 5.16.5) is released in May 2022 so just wanted to understand the plan. Thank you.. > Prototype Javascript Framework - CVE-2020-27511 > --- > > Key: AMQ-9197 > URL: https://issues.apache.org/jira/browse/AMQ-9197 > Project: ActiveMQ > Issue Type: Dependency upgrade > Components: Web Console >Affects Versions: 5.16.3, 5.16.4, 5.16.5 >Reporter: Nikhil >Assignee: Jean-Baptiste Onofré >Priority: Major > Fix For: 5.18.0, 5.16.6, 5.17.4 > > Time Spent: 10m > Remaining Estimate: 0h > > An issue was discovered in the stripTags and unescapeHTML components in > Prototype 1.7.1 version 1.6 and below where an attacker can cause a Regular > Expression Denial of Service (ReDOS) through stripping crafted HTML tags. > > See [https://nvd.nist.gov/vuln/detail/CVE-2020-27511] for further details > > *prototype.js* is part of activemq-web-5.16.3.jar which is shipped inside > *activemq-web-console.war* > > Can someone please confirm the affected projects of activeMQ for this > prototype.js library.. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (AMQ-9197) Prototype Javascript Framework - CVE-2020-27511
[ https://issues.apache.org/jira/browse/AMQ-9197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17684471#comment-17684471 ] Nikhil commented on AMQ-9197: - Hi [~jbonofre] Looks like the vulnerable code exists in older versions as well through *1.6.x* which is part of ActiveMQ library.. this is fixed in *1.7.1-3* version of prototype.js module.. Could you please review once ? Reference - [https://security-tracker.debian.org/tracker/CVE-2020-27511] Thank you! > Prototype Javascript Framework - CVE-2020-27511 > --- > > Key: AMQ-9197 > URL: https://issues.apache.org/jira/browse/AMQ-9197 > Project: ActiveMQ > Issue Type: Dependency upgrade > Components: Web Console >Affects Versions: 5.16.3, 5.16.4, 5.16.5 >Reporter: Nikhil >Assignee: Jean-Baptiste Onofré >Priority: Major > > An issue was discovered in the stripTags and unescapeHTML components in > Prototype 1.7.3 version 1.6 and below where an attacker can cause a Regular > Expression Denial of Service (ReDOS) through stripping crafted HTML tags. > > See [https://nvd.nist.gov/vuln/detail/CVE-2020-27511] for further details > > *prototype.js* is part of activemq-web-5.16.3.jar which is shipped inside > *activemq-web-console.war* > > Can someone please confirm the affected projects of activeMQ for this > prototype.js library.. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Reopened] (AMQ-9197) Prototype Javascript Framework - CVE-2020-27511
[ https://issues.apache.org/jira/browse/AMQ-9197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nikhil reopened AMQ-9197: - > Prototype Javascript Framework - CVE-2020-27511 > --- > > Key: AMQ-9197 > URL: https://issues.apache.org/jira/browse/AMQ-9197 > Project: ActiveMQ > Issue Type: Dependency upgrade > Components: Web Console >Affects Versions: 5.16.3, 5.16.4, 5.16.5 >Reporter: Nikhil >Assignee: Jean-Baptiste Onofré >Priority: Major > > An issue was discovered in the stripTags and unescapeHTML components in > Prototype 1.7.3 version 1.6 and below where an attacker can cause a Regular > Expression Denial of Service (ReDOS) through stripping crafted HTML tags. > > See [https://nvd.nist.gov/vuln/detail/CVE-2020-27511] for further details > > *prototype.js* is part of activemq-web-5.16.3.jar which is shipped inside > *activemq-web-console.war* > > Can someone please confirm the affected projects of activeMQ for this > prototype.js library.. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (AMQ-9195) Upgrade XStream to 1.4.20 - CVE-2022-41966
[
https://issues.apache.org/jira/browse/AMQ-9195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17679696#comment-17679696
]
Nikhil commented on AMQ-9195:
-
Few other vulnerabilities were also fixed as part of 1.4.20 version.
Please see [https://github.com/x-stream/xstream/issues/304] and
[https://github.com/x-stream/xstream/issues/314] for more details.
> Upgrade XStream to 1.4.20 - CVE-2022-41966
> --
>
> Key: AMQ-9195
> URL: https://issues.apache.org/jira/browse/AMQ-9195
> Project: ActiveMQ
> Issue Type: Dependency upgrade
>Affects Versions: 5.16.5
>Reporter: Nikhil
>Priority: Major
>
> {*}Summary{*}: XStream serializes Java objects to XML and back again.
> Versions prior to 1.4.20 may allow a remote attacker to terminate the
> application with a stack overflow error, resulting in a denial of service
> only via manipulation the processed input stream. The attack uses the hash
> code implementation for collections and maps to force recursive hash
> calculation causing a stack overflow. This issue is patched in version 1.4.20
> which handles the stack overflow and raises an InputManipulationException
> instead. A potential workaround for users who only use HashMap or HashSet and
> whose XML refers these only as default map or set, is to change the default
> implementation of java.util.Map and java.util per the code example in the
> referenced advisory. However, this implies that your application does not
> care about the implementation of the map and all elements are comparable.
>
> {*}Solution{*}: Fixed in version *1.4.20* by this commit.
>
> Since ActiveMQ web console uses this library (XStream) - I think we will need
> to update this to 1.4.20, currently we are using *1.4.19* in *5.16.5*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (AMQ-9197) Prototype Javascript Framework - CVE-2020-27511
Nikhil created AMQ-9197: --- Summary: Prototype Javascript Framework - CVE-2020-27511 Key: AMQ-9197 URL: https://issues.apache.org/jira/browse/AMQ-9197 Project: ActiveMQ Issue Type: Dependency upgrade Affects Versions: 5.16.5, 5.16.4, 5.16.3 Reporter: Nikhil An issue was discovered in the stripTags and unescapeHTML components in Prototype 1.7.3 version 1.6 and below where an attacker can cause a Regular Expression Denial of Service (ReDOS) through stripping crafted HTML tags. See [https://nvd.nist.gov/vuln/detail/CVE-2020-27511] for further details *prototype.js* is part of activemq-web-5.16.3.jar which is shipped inside *activemq-web-console.war* Can someone please confirm the affected projects of activeMQ for this prototype.js library.. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (AMQ-9195) Upgrade XStream to 1.4.20 - CVE-2022-41966
[
https://issues.apache.org/jira/browse/AMQ-9195?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nikhil updated AMQ-9195:
Summary: Upgrade XStream to 1.4.20 - CVE-2022-41966 (was: XStream -
CVE-2022-41966)
> Upgrade XStream to 1.4.20 - CVE-2022-41966
> --
>
> Key: AMQ-9195
> URL: https://issues.apache.org/jira/browse/AMQ-9195
> Project: ActiveMQ
> Issue Type: Dependency upgrade
>Affects Versions: 5.16.5
>Reporter: Nikhil
>Priority: Major
>
> {*}Summary{*}: XStream serializes Java objects to XML and back again.
> Versions prior to 1.4.20 may allow a remote attacker to terminate the
> application with a stack overflow error, resulting in a denial of service
> only via manipulation the processed input stream. The attack uses the hash
> code implementation for collections and maps to force recursive hash
> calculation causing a stack overflow. This issue is patched in version 1.4.20
> which handles the stack overflow and raises an InputManipulationException
> instead. A potential workaround for users who only use HashMap or HashSet and
> whose XML refers these only as default map or set, is to change the default
> implementation of java.util.Map and java.util per the code example in the
> referenced advisory. However, this implies that your application does not
> care about the implementation of the map and all elements are comparable.
>
> {*}Solution{*}: Fixed in version *1.4.20* by this commit.
>
> Since ActiveMQ web console uses this library (XStream) - I think we will need
> to update this to 1.4.20, currently we are using *1.4.19* in *5.16.5*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (AMQ-9195) XStream - CVE-2022-41966
Nikhil created AMQ-9195:
---
Summary: XStream - CVE-2022-41966
Key: AMQ-9195
URL: https://issues.apache.org/jira/browse/AMQ-9195
Project: ActiveMQ
Issue Type: Dependency upgrade
Affects Versions: 5.16.5
Reporter: Nikhil
{*}Summary{*}: XStream serializes Java objects to XML and back again. Versions
prior to 1.4.20 may allow a remote attacker to terminate the application with a
stack overflow error, resulting in a denial of service only via manipulation
the processed input stream. The attack uses the hash code implementation for
collections and maps to force recursive hash calculation causing a stack
overflow. This issue is patched in version 1.4.20 which handles the stack
overflow and raises an InputManipulationException instead. A potential
workaround for users who only use HashMap or HashSet and whose XML refers these
only as default map or set, is to change the default implementation of
java.util.Map and java.util per the code example in the referenced advisory.
However, this implies that your application does not care about the
implementation of the map and all elements are comparable.
{*}Solution{*}: Fixed in version *1.4.20* by this commit.
Since ActiveMQ web console uses this library (XStream) - I think we will need
to update this to 1.4.20, currently we are using *1.4.19* in *5.16.5*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (AMQ-8603) In the documentation of redilevery policy redelivery policy map is mentioned twice
Nikhil created AMQ-8603: --- Summary: In the documentation of redilevery policy redelivery policy map is mentioned twice Key: AMQ-8603 URL: https://issues.apache.org/jira/browse/AMQ-8603 Project: ActiveMQ Issue Type: Improvement Components: Documentation Affects Versions: 5.16.5 Reporter: Nikhil Attachments: redelivery-policy-map-twice.PNG The redelivery policy map is defined twice. I am attaching a screenshot to help you find hte issue. Here is the link to the documentation:- https://activemq.apache.org/message-redelivery-and-dlq-handling -- This message was sent by Atlassian Jira (v8.20.7#820007)
