[jira] [Commented] (AMQ-7491) ActiveMQ illegal occupation vulnerability
[ https://issues.apache.org/jira/browse/AMQ-7491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17116038#comment-17116038 ] Colm O hEigeartaigh commented on AMQ-7491: -- Can you share the script your are using to reproduce the problem? > ActiveMQ illegal occupation vulnerability > - > > Key: AMQ-7491 > URL: https://issues.apache.org/jira/browse/AMQ-7491 > Project: ActiveMQ > Issue Type: Bug > Components: AMQP, Broker >Affects Versions: 5.15.12 > Environment: We build a script used JavaScript to interact with the > broker in ActiveMQ 5.15.12. > The experiment is performed on Windows10 1903 version. >Reporter: wang Jessie >Priority: Blocker > Labels: security > Attachments: 1590234052205.png > > > *Description:* Two client with the same Container-Id are not allowed to > connect to the broker. When we send *two OPEN packet with same the > Container-Id*, the broker will return error and the client will close the TCP > connection. The client with this Container-Id will *never be able to connect > with the broker* unless the broker resets. This vulnerability can be > exploited by the adversary to perform the aforementioned attacks on many > Container-Id to make a huge set of clients unable to connect with the broker. > As the ActiveMQ are widely adopted by the IoT vendors, this can be a > vulnerability affected a wide range. > Following are the details. > We send *two OPEN packets with the same Container-Id 1* and we can learn from > the log A in the attached picture in the broker side that the broker returned > close packets and the client closed this TCP connection with the broker. > Then we build a new client to connect with the broker using the same > Container-Id 1, we can learn from the log B in the attached pictur that the > broker returned errors as the broker believe the client with Container-Id 1 > already connected. > *Suggestion for repair:* May be the state of the broker after received two > OPEN packets could be checked and the connection state of the client could be > updated when the TCP connection is closed. > > :)I hope what I found can do some help and if you want further discussion, > please email me by [wangqiny...@zju.edu.cn|mailto:wangqiny...@zju.edu.cn]. > Thanks for spending your time on my issue. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7491) ActiveMQ illegal occupation vulnerability
[ https://issues.apache.org/jira/browse/AMQ-7491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17118702#comment-17118702 ] wang Jessie commented on AMQ-7491: -- I am willing to share my script. Can I send you by email? Because I am not decided to make the script public. > ActiveMQ illegal occupation vulnerability > - > > Key: AMQ-7491 > URL: https://issues.apache.org/jira/browse/AMQ-7491 > Project: ActiveMQ > Issue Type: Bug > Components: AMQP, Broker >Affects Versions: 5.15.12 > Environment: We build a script used JavaScript to interact with the > broker in ActiveMQ 5.15.12. > The experiment is performed on Windows10 1903 version. >Reporter: wang Jessie >Priority: Blocker > Labels: security > Attachments: 1590234052205.png > > > *Description:* Two client with the same Container-Id are not allowed to > connect to the broker. When we send *two OPEN packet with same the > Container-Id*, the broker will return error and the client will close the TCP > connection. The client with this Container-Id will *never be able to connect > with the broker* unless the broker resets. This vulnerability can be > exploited by the adversary to perform the aforementioned attacks on many > Container-Id to make a huge set of clients unable to connect with the broker. > As the ActiveMQ are widely adopted by the IoT vendors, this can be a > vulnerability affected a wide range. > Following are the details. > We send *two OPEN packets with the same Container-Id 1* and we can learn from > the log A in the attached picture in the broker side that the broker returned > close packets and the client closed this TCP connection with the broker. > Then we build a new client to connect with the broker using the same > Container-Id 1, we can learn from the log B in the attached pictur that the > broker returned errors as the broker believe the client with Container-Id 1 > already connected. > *Suggestion for repair:* May be the state of the broker after received two > OPEN packets could be checked and the connection state of the client could be > updated when the TCP connection is closed. > > :)I hope what I found can do some help and if you want further discussion, > please email me by [wangqiny...@zju.edu.cn|mailto:wangqiny...@zju.edu.cn]. > Thanks for spending your time on my issue. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7491) ActiveMQ illegal occupation vulnerability
[ https://issues.apache.org/jira/browse/AMQ-7491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17118709#comment-17118709 ] Colm O hEigeartaigh commented on AMQ-7491: -- I will contact you. > ActiveMQ illegal occupation vulnerability > - > > Key: AMQ-7491 > URL: https://issues.apache.org/jira/browse/AMQ-7491 > Project: ActiveMQ > Issue Type: Bug > Components: AMQP, Broker >Affects Versions: 5.15.12 > Environment: We build a script used JavaScript to interact with the > broker in ActiveMQ 5.15.12. > The experiment is performed on Windows10 1903 version. >Reporter: wang Jessie >Priority: Blocker > Labels: security > Attachments: 1590234052205.png > > > *Description:* Two client with the same Container-Id are not allowed to > connect to the broker. When we send *two OPEN packet with same the > Container-Id*, the broker will return error and the client will close the TCP > connection. The client with this Container-Id will *never be able to connect > with the broker* unless the broker resets. This vulnerability can be > exploited by the adversary to perform the aforementioned attacks on many > Container-Id to make a huge set of clients unable to connect with the broker. > As the ActiveMQ are widely adopted by the IoT vendors, this can be a > vulnerability affected a wide range. > Following are the details. > We send *two OPEN packets with the same Container-Id 1* and we can learn from > the log A in the attached picture in the broker side that the broker returned > close packets and the client closed this TCP connection with the broker. > Then we build a new client to connect with the broker using the same > Container-Id 1, we can learn from the log B in the attached pictur that the > broker returned errors as the broker believe the client with Container-Id 1 > already connected. > *Suggestion for repair:* May be the state of the broker after received two > OPEN packets could be checked and the connection state of the client could be > updated when the TCP connection is closed. > > :)I hope what I found can do some help and if you want further discussion, > please email me by [wangqiny...@zju.edu.cn|mailto:wangqiny...@zju.edu.cn]. > Thanks for spending your time on my issue. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7491) ActiveMQ illegal occupation vulnerability
[ https://issues.apache.org/jira/browse/AMQ-7491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17118714#comment-17118714 ] wang Jessie commented on AMQ-7491: -- Thank you! > ActiveMQ illegal occupation vulnerability > - > > Key: AMQ-7491 > URL: https://issues.apache.org/jira/browse/AMQ-7491 > Project: ActiveMQ > Issue Type: Bug > Components: AMQP, Broker >Affects Versions: 5.15.12 > Environment: We build a script used JavaScript to interact with the > broker in ActiveMQ 5.15.12. > The experiment is performed on Windows10 1903 version. >Reporter: wang Jessie >Priority: Blocker > Labels: security > Attachments: 1590234052205.png > > > *Description:* Two client with the same Container-Id are not allowed to > connect to the broker. When we send *two OPEN packet with same the > Container-Id*, the broker will return error and the client will close the TCP > connection. The client with this Container-Id will *never be able to connect > with the broker* unless the broker resets. This vulnerability can be > exploited by the adversary to perform the aforementioned attacks on many > Container-Id to make a huge set of clients unable to connect with the broker. > As the ActiveMQ are widely adopted by the IoT vendors, this can be a > vulnerability affected a wide range. > Following are the details. > We send *two OPEN packets with the same Container-Id 1* and we can learn from > the log A in the attached picture in the broker side that the broker returned > close packets and the client closed this TCP connection with the broker. > Then we build a new client to connect with the broker using the same > Container-Id 1, we can learn from the log B in the attached pictur that the > broker returned errors as the broker believe the client with Container-Id 1 > already connected. > *Suggestion for repair:* May be the state of the broker after received two > OPEN packets could be checked and the connection state of the client could be > updated when the TCP connection is closed. > > :)I hope what I found can do some help and if you want further discussion, > please email me by [wangqiny...@zju.edu.cn|mailto:wangqiny...@zju.edu.cn]. > Thanks for spending your time on my issue. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7491) ActiveMQ illegal occupation vulnerability
[ https://issues.apache.org/jira/browse/AMQ-7491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17124654#comment-17124654 ] wang Jessie commented on AMQ-7491: -- I have upload my script on GitHub. Here is the address [https://github.com/wqqqy/MPInspector/tree/master/Adapter/AMQP10/hack-amqp10_SameContainerId] > ActiveMQ illegal occupation vulnerability > - > > Key: AMQ-7491 > URL: https://issues.apache.org/jira/browse/AMQ-7491 > Project: ActiveMQ > Issue Type: Bug > Components: AMQP, Broker >Affects Versions: 5.15.12 > Environment: We build a script used JavaScript to interact with the > broker in ActiveMQ 5.15.12. > The experiment is performed on Windows10 1903 version. >Reporter: wang Jessie >Priority: Blocker > Labels: security > Attachments: 1590234052205.png > > > *Description:* Two client with the same Container-Id are not allowed to > connect to the broker. When we send *two OPEN packet with same the > Container-Id*, the broker will return error and the client will close the TCP > connection. The client with this Container-Id will *never be able to connect > with the broker* unless the broker resets. This vulnerability can be > exploited by the adversary to perform the aforementioned attacks on many > Container-Id to make a huge set of clients unable to connect with the broker. > As the ActiveMQ are widely adopted by the IoT vendors, this can be a > vulnerability affected a wide range. > Following are the details. > We send *two OPEN packets with the same Container-Id 1* and we can learn from > the log A in the attached picture in the broker side that the broker returned > close packets and the client closed this TCP connection with the broker. > Then we build a new client to connect with the broker using the same > Container-Id 1, we can learn from the log B in the attached pictur that the > broker returned errors as the broker believe the client with Container-Id 1 > already connected. > *Suggestion for repair:* May be the state of the broker after received two > OPEN packets could be checked and the connection state of the client could be > updated when the TCP connection is closed. > > :)I hope what I found can do some help and if you want further discussion, > please email me by [wangqiny...@zju.edu.cn|mailto:wangqiny...@zju.edu.cn]. > Thanks for spending your time on my issue. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7491) ActiveMQ illegal occupation vulnerability
[ https://issues.apache.org/jira/browse/AMQ-7491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17125035#comment-17125035 ] Timothy A. Bish commented on AMQ-7491: -- Could not reproduce any unexpected behaviour from the broker. The container ID is treated as the client ID in the same manner as an OpenWire JMS client and as such only one client connection with the same ID can be active at any given time. > ActiveMQ illegal occupation vulnerability > - > > Key: AMQ-7491 > URL: https://issues.apache.org/jira/browse/AMQ-7491 > Project: ActiveMQ > Issue Type: Bug > Components: AMQP, Broker >Affects Versions: 5.15.12 > Environment: We build a script used JavaScript to interact with the > broker in ActiveMQ 5.15.12. > The experiment is performed on Windows10 1903 version. >Reporter: wang Jessie >Priority: Major > Labels: security > Attachments: 1590234052205.png > > > *Description:* Two client with the same Container-Id are not allowed to > connect to the broker. When we send *two OPEN packet with same the > Container-Id*, the broker will return error and the client will close the TCP > connection. The client with this Container-Id will *never be able to connect > with the broker* unless the broker resets. This vulnerability can be > exploited by the adversary to perform the aforementioned attacks on many > Container-Id to make a huge set of clients unable to connect with the broker. > As the ActiveMQ are widely adopted by the IoT vendors, this can be a > vulnerability affected a wide range. > Following are the details. > We send *two OPEN packets with the same Container-Id 1* and we can learn from > the log A in the attached picture in the broker side that the broker returned > close packets and the client closed this TCP connection with the broker. > Then we build a new client to connect with the broker using the same > Container-Id 1, we can learn from the log B in the attached pictur that the > broker returned errors as the broker believe the client with Container-Id 1 > already connected. > *Suggestion for repair:* May be the state of the broker after received two > OPEN packets could be checked and the connection state of the client could be > updated when the TCP connection is closed. > > :)I hope what I found can do some help and if you want further discussion, > please email me by [wangqiny...@zju.edu.cn|mailto:wangqiny...@zju.edu.cn]. > Thanks for spending your time on my issue. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7491) ActiveMQ illegal occupation vulnerability
[ https://issues.apache.org/jira/browse/AMQ-7491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17125283#comment-17125283 ] wang Jessie commented on AMQ-7491: -- It is true that the that only one client connection with the same ID can be active at any time. However, the former client actually close its connection, the ActiveMQ belives the client is still connected. > ActiveMQ illegal occupation vulnerability > - > > Key: AMQ-7491 > URL: https://issues.apache.org/jira/browse/AMQ-7491 > Project: ActiveMQ > Issue Type: Bug > Components: AMQP, Broker >Affects Versions: 5.15.12 > Environment: We build a script used JavaScript to interact with the > broker in ActiveMQ 5.15.12. > The experiment is performed on Windows10 1903 version. >Reporter: wang Jessie >Priority: Major > Labels: security > Attachments: 1590234052205.png > > > *Description:* Two client with the same Container-Id are not allowed to > connect to the broker. When we send *two OPEN packet with same the > Container-Id*, the broker will return error and the client will close the TCP > connection. The client with this Container-Id will *never be able to connect > with the broker* unless the broker resets. This vulnerability can be > exploited by the adversary to perform the aforementioned attacks on many > Container-Id to make a huge set of clients unable to connect with the broker. > As the ActiveMQ are widely adopted by the IoT vendors, this can be a > vulnerability affected a wide range. > Following are the details. > We send *two OPEN packets with the same Container-Id 1* and we can learn from > the log A in the attached picture in the broker side that the broker returned > close packets and the client closed this TCP connection with the broker. > Then we build a new client to connect with the broker using the same > Container-Id 1, we can learn from the log B in the attached pictur that the > broker returned errors as the broker believe the client with Container-Id 1 > already connected. > *Suggestion for repair:* May be the state of the broker after received two > OPEN packets could be checked and the connection state of the client could be > updated when the TCP connection is closed. > > :)I hope what I found can do some help and if you want further discussion, > please email me by [wangqiny...@zju.edu.cn|mailto:wangqiny...@zju.edu.cn]. > Thanks for spending your time on my issue. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7491) ActiveMQ illegal occupation vulnerability
[ https://issues.apache.org/jira/browse/AMQ-7491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17125290#comment-17125290 ] Timothy A. Bish commented on AMQ-7491: -- The client connection is checked by the inactivity monitor to ensure that it will not remain open forever in the case of a drop at the client end. I've tested this and can find no issues with that validation, if you've configured that off in your broker then yes you could have issues with clients dropping and not being noticed but that'd be due to configuration. The test script is far to complicated and was not functional for me so I've tested using modifications of the existing client tests which also check various aspects of this so you need to create a more simpler test script that can provoke the issue you think you are seeing for an outside observer to validate. > ActiveMQ illegal occupation vulnerability > - > > Key: AMQ-7491 > URL: https://issues.apache.org/jira/browse/AMQ-7491 > Project: ActiveMQ > Issue Type: Bug > Components: AMQP, Broker >Affects Versions: 5.15.12 > Environment: We build a script used JavaScript to interact with the > broker in ActiveMQ 5.15.12. > The experiment is performed on Windows10 1903 version. >Reporter: wang Jessie >Priority: Major > Labels: security > Attachments: 1590234052205.png > > > *Description:* Two client with the same Container-Id are not allowed to > connect to the broker. When we send *two OPEN packet with same the > Container-Id*, the broker will return error and the client will close the TCP > connection. The client with this Container-Id will *never be able to connect > with the broker* unless the broker resets. This vulnerability can be > exploited by the adversary to perform the aforementioned attacks on many > Container-Id to make a huge set of clients unable to connect with the broker. > As the ActiveMQ are widely adopted by the IoT vendors, this can be a > vulnerability affected a wide range. > Following are the details. > We send *two OPEN packets with the same Container-Id 1* and we can learn from > the log A in the attached picture in the broker side that the broker returned > close packets and *the client closed this TCP connection with the broker.* > Then we build a new client to connect with the broker using the same > Container-Id 1, we can learn from the log B in the attached pictur that the > broker returned errors as the broker believe the client with Container-Id 1 > already connected. > *Suggestion for repair:* May be the state of the broker after received two > OPEN packets could be checked and the connection state of the client could be > updated when the TCP connection is closed. > > :)I hope what I found can do some help and if you want further discussion, > please email me by [wangqiny...@zju.edu.cn|mailto:wangqiny...@zju.edu.cn]. > Thanks for spending your time on my issue. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7491) ActiveMQ illegal occupation vulnerability
[ https://issues.apache.org/jira/browse/AMQ-7491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17125303#comment-17125303 ] wang Jessie commented on AMQ-7491: -- I used the default setting that transport.useInactivityMonitor=true. Only sending a OPEN packet with the a container ID to the broker when a client with the same container ID have opened the channel but didn't begin the session can cause this problem. Other exceptions that caused the client offline are noticed by the inactivity monitor. > ActiveMQ illegal occupation vulnerability > - > > Key: AMQ-7491 > URL: https://issues.apache.org/jira/browse/AMQ-7491 > Project: ActiveMQ > Issue Type: Bug > Components: AMQP, Broker >Affects Versions: 5.15.12 > Environment: We build a script used JavaScript to interact with the > broker in ActiveMQ 5.15.12. > The experiment is performed on Windows10 1903 version. >Reporter: wang Jessie >Priority: Major > Labels: security > Attachments: 1590234052205.png > > > *Description:* Two client with the same Container-Id are not allowed to > connect to the broker. When we send *two OPEN packet with same the > Container-Id*, the broker will return error and the client will close the TCP > connection. The client with this Container-Id will *never be able to connect > with the broker* unless the broker resets. This vulnerability can be > exploited by the adversary to perform the aforementioned attacks on many > Container-Id to make a huge set of clients unable to connect with the broker. > As the ActiveMQ are widely adopted by the IoT vendors, this can be a > vulnerability affected a wide range. > Following are the details. > We send *two OPEN packets with the same Container-Id 1* and we can learn from > the log A in the attached picture in the broker side that the broker returned > close packets and *the client closed this TCP connection with the broker.* > Then we build a new client to connect with the broker using the same > Container-Id 1, we can learn from the log B in the attached pictur that the > broker returned errors as the broker believe the client with Container-Id 1 > already connected. > *Suggestion for repair:* May be the state of the broker after received two > OPEN packets could be checked and the connection state of the client could be > updated when the TCP connection is closed. > > :)I hope what I found can do some help and if you want further discussion, > please email me by [wangqiny...@zju.edu.cn|mailto:wangqiny...@zju.edu.cn]. > Thanks for spending your time on my issue. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7491) ActiveMQ illegal occupation vulnerability
[ https://issues.apache.org/jira/browse/AMQ-7491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17125521#comment-17125521 ] wang Jessie commented on AMQ-7491: -- I have attached the link about how to use my script. [https://github.com/wqqqy/Illegal-Occupation-on-ActiveMQ/blob/master/Illegal%20Occupation.md] The script supports sending the Header, OPEN, BEGIN seprately. Or can you share me with your script and I can test my ActiveMQ implementations? > ActiveMQ illegal occupation vulnerability > - > > Key: AMQ-7491 > URL: https://issues.apache.org/jira/browse/AMQ-7491 > Project: ActiveMQ > Issue Type: Bug > Components: AMQP, Broker >Affects Versions: 5.15.12 > Environment: We build a script used JavaScript to interact with the > broker in ActiveMQ 5.15.12. > The experiment is performed on Windows10 1903 version. >Reporter: wang Jessie >Priority: Major > Labels: security > Attachments: 1590234052205.png > > > *Description:* Two client with the same Container-Id are not allowed to > connect to the broker. When we send *two OPEN packet with same the > Container-Id*, the broker will return error and the client will close the TCP > connection. The client with this Container-Id will *never be able to connect > with the broker* unless the broker resets. This vulnerability can be > exploited by the adversary to perform the aforementioned attacks on many > Container-Id to make a huge set of clients unable to connect with the broker. > As the ActiveMQ are widely adopted by the IoT vendors, this can be a > vulnerability affected a wide range. > Following are the details. > We send *two OPEN packets with the same Container-Id 1* and we can learn from > the log A in the attached picture in the broker side that the broker returned > close packets and *the client closed this TCP connection with the broker.* > Then we build a new client to connect with the broker using the same > Container-Id 1, we can learn from the log B in the attached pictur that the > broker returned errors as the broker believe the client with Container-Id 1 > already connected. > *Suggestion for repair:* May be the state of the broker after received two > OPEN packets could be checked and the connection state of the client could be > updated when the TCP connection is closed. > > :)I hope what I found can do some help and if you want further discussion, > please email me by [wangqiny...@zju.edu.cn|mailto:wangqiny...@zju.edu.cn]. > Thanks for spending your time on my issue. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
