[oss-security]
> CVE-2020-13931 Apache TomEE - Incorrect config on JMS Resource Adapter can
> lead to JMX being enabled this email
> > >
> > > here is the content about this email:
> > >
> > > Severity: High
> > > Vendor: The Apache Software Founda
>>>
>>> On Mon, Dec 21, 2020 at 2:37 PM r00t 4dm wrote:
>>> Hello,
>>>
>>> in 2020/12/17 in oss-security email i see the [oss-security] CVE-2020-13931
>>> Apache TomEE - Incorrect config on JMS Resource Adapter can lead to JMX
>>> being enabled
gt; Apache TomEE 7.0.0-M1 - 7.0.8
> > Apache TomEE 1.0.0 - 1.7.5
> > Description:
> > If Apache TomEE is configured to use the embedded ActiveMQ broker, and the
> > broker config is misconfigured, a JMX port is opened on TCP port 1099,
> > which does not include authent
.org is
>>>>>> the address to report them (CC'd).
>>>>>>
>>>>>> Kind Regards
>>>>>>
>>>>>> Jon
>>>>>>
>>>>>>
>>>>>> On Mon, Dec 21, 2020
, however the incomplete
>>>>> fix
>>>>> did not cover this edge case.
>>>>> Mitigation:
>>>>> - Upgrade to TomEE 7.0.9 or later
>>>>> - Upgrade to TomEE 7.1.4 or later
>>>>> - Upgrade to TomEE 8.0.4 or later
>>>>> Ensure the correct VM broker name is used consistently across the
>>>>> resource
>>>>> adapter config.
>>>>> Credit: Thanks to Frans Henskens for discovering and reporting this
>>>>> issue.
>>>>
>>>>
>>>> So, I using TomEE 7.1.3 to test this vulnerability, i found
>>>> this vulnerability is Fake.
>>>> The Frans Henskens have some wrong.
>>>>
>>>> tomee.xml
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> BrokerXmlConfig=broker:(vm://localhost:61616)
>>>> ServerUrl = vm://localhost?async=true
>>>>
>>>>
>>>>
>>>> i use this to startup tomee 7.1.3.
>>>>
>>>> about CVE-2020-11969 security patch code in ActiveMQ5Factory.java
>>>> This is done before start (managementContext.etCreateConnector(false);)
>>>>
>>>> So, let me see
>>>> it can't call createConnector() function, because before start() is
>>>> already managementContext.setCreateConnector(false);
>>>> So the 1099 An unauthorized JMX service will not be enabled.
>>>> CVE-2020-13931 is Fake vulnerability
>>>>
>>>>
>>>>
>>>>
>>>> Did you test exactly what he said was a safety issue?
>>>> Looking forward to your reply.
>>>>
>>>> r00t4dm
>>>> A-TEAM of Legendsec at Qi'anxin Group
>>>>
>>>
Hi Jonathan
That's a perfect approach and reply suggestion, go for it! I wonder too
sometimes if this is a tactic in order for a lazy researcher to try to gain
a reproducer.
(I wouldn't worry about cc'ing in private@tomee though, you probably don't
want to get that list too polluted, dev/user l