ActiveMQ
  1. ActiveMQ
  2. AMQ-2700

Apache ActiveMQ is prone to source code disclosure vulnerability.

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 5.3.1
    • Fix Version/s: 5.3.2, 5.4.0
    • Component/s: None
    • Labels:
      None
    • Environment:

      Linux/Windows environment

      Description

      An input validation error is present in Apache ActiveMQ. Adding '//' after the
      port in an URL causes it to disclose the JSP page source.

      This has been tested on various admin pages,
      admin/index.jsp, admin/queues.jsp, admin/topics.jsp etc.

      NOTE : Refer attached file for complete information/advisory.

        Activity

        Hide
        Veerendra G.G added a comment -

        Attached file is having complete information about the issue.

        Show
        Veerendra G.G added a comment - Attached file is having complete information about the issue.
        Hide
        Dejan Bosanac added a comment - - edited

        I confirmed this issue exists in 5.3.1 version, however it seems to be solved in trunk (5.4-snapshot) due to upgrade of jetty to 7.x.

        After a bit of investigation it turns out to be a problem with Jetty's ResourceHandler. To work around this problem in 5.3.1, follow these steps:

        1. go to the {{$

        {ACTIVEMQ_HOME}/webapps}} dir
        2. make new dir called static - mkdir static
        3. move index.html file there - mv index.html static/
        4. change ResourceHandler to use static dir . To do that, edit {{${ACTIVEMQ_HOME}

        /conf/jetty.xml}} and change ResourceHandler definition to

        <bean class="org.mortbay.jetty.handler.ResourceHandler">
          <property name="welcomeFiles">
            <list>
              <value>index.html</value>
            </list>
          </property>
          <property name="resourceBase" value="${activemq.base}/webapps/static"/>
        </bean>
        Show
        Dejan Bosanac added a comment - - edited I confirmed this issue exists in 5.3.1 version, however it seems to be solved in trunk (5.4-snapshot) due to upgrade of jetty to 7.x. After a bit of investigation it turns out to be a problem with Jetty's ResourceHandler. To work around this problem in 5.3.1, follow these steps: 1. go to the {{$ {ACTIVEMQ_HOME}/webapps}} dir 2. make new dir called static - mkdir static 3. move index.html file there - mv index.html static/ 4. change ResourceHandler to use static dir . To do that, edit {{${ACTIVEMQ_HOME} /conf/jetty.xml}} and change ResourceHandler definition to <bean class= "org.mortbay.jetty.handler.ResourceHandler" > <property name= "welcomeFiles" > <list> <value>index.html</value> </list> </property> <property name= "resourceBase" value= "${activemq.base}/webapps/ static " /> </bean>
        Hide
        Dejan Bosanac added a comment -

        This workaround will be available in the next fuse 5.3.1-fuse-01-00 release (http://fusesource.com/), if anyone is interested.

        Show
        Dejan Bosanac added a comment - This workaround will be available in the next fuse 5.3.1-fuse-01-00 release ( http://fusesource.com/ ), if anyone is interested.
        Hide
        Veerendra G.G added a comment -

        I am able to reproduce this issue in 5.4-snapshot as well.

        Show
        Veerendra G.G added a comment - I am able to reproduce this issue in 5.4-snapshot as well.
        Hide
        Dejan Bosanac added a comment -

        Hi Veerendra,

        I just retested. The steps are following:

        1. Download latest snapshot from https://repository.apache.org/content/repositories/snapshots/org/apache/activemq/apache-activemq/5.4-SNAPSHOT/apache-activemq-5.4-SNAPSHOT-bin.tar.gz

        2. install and run

        3. Try accessing http://localhost:8161//admin/queues.jsp

        I'm getting 404 as expected. Can you try this latest snapshot, just to be sure we're looking at the same thing and send you log if you're seeing something else?

        Show
        Dejan Bosanac added a comment - Hi Veerendra, I just retested. The steps are following: 1. Download latest snapshot from https://repository.apache.org/content/repositories/snapshots/org/apache/activemq/apache-activemq/5.4-SNAPSHOT/apache-activemq-5.4-SNAPSHOT-bin.tar.gz 2. install and run 3. Try accessing http://localhost:8161//admin/queues.jsp I'm getting 404 as expected. Can you try this latest snapshot, just to be sure we're looking at the same thing and send you log if you're seeing something else?
        Hide
        Veerendra G.G added a comment -

        Hi Dejan,

        yeah, the issue has been fixed now.

        Issue exists, when I downloaded from the same location and tested yesterday.

        Thank you...

        regards,
        Veerendra

        Show
        Veerendra G.G added a comment - Hi Dejan, yeah, the issue has been fixed now. Issue exists, when I downloaded from the same location and tested yesterday. Thank you... regards, Veerendra
        Hide
        Gary Tully added a comment -

        does this resolve the following, looks like it does to me, same sort of issue about restricting access to the resource loader:

        iDefense VCP Submission V-ay6t2oua0k
        05/05/2010
        Apache ActiveMQ Directory Traversal Vulnerability

        Description:
        Remote exploitation of a directory traversal vulnerability in Apache Software Foundation's Apache ActiveMQ could allow an attacker to download files from a restricted directory, which can result in information disclosure.

        Apache ActiveMQ is a messaging and enterprise integration patterns provider. The platform provides a Message Broker which handles communication between several different applications. Apache ActiveMQ supports many popular development languages including C/C++, Python, Java, and .NET. Apache ActiveMQ runs on a variety of platforms, including Windows, Linux and Solaris

        For more information, see the vendor's site at the following link: http://activemq.apache.org

        The vulnerability is due to a failure by the Message Broker to restrict directory traversals. As a result, sensitive locations outside the configured Message Broker restricted directory can be accessed by an attacker. No authentication is required to access the ActiveMQ Message Broker service.

        Analysis:
        Exploitation of this vulnerability could allow an attacker to gain control over the affected machine.

        By specifying a URL location with multiple directory traversal sequences such as "/\../\../\", it is possible for an attacker to access sensitive files hosted on the Message Broker Server using the privileges associated with the Message Broker process. An attacker may be able to read important system files, which will result in information disclosure, and can potentially lead to full host compromise.

        iDefense considers this vulnerability to be of MEDIUM severity because the vulnerability leads to information disclosure.

        Credit:
        AbdulAziz Hariri

        Show
        Gary Tully added a comment - does this resolve the following, looks like it does to me, same sort of issue about restricting access to the resource loader: iDefense VCP Submission V-ay6t2oua0k 05/05/2010 Apache ActiveMQ Directory Traversal Vulnerability Description: Remote exploitation of a directory traversal vulnerability in Apache Software Foundation's Apache ActiveMQ could allow an attacker to download files from a restricted directory, which can result in information disclosure. Apache ActiveMQ is a messaging and enterprise integration patterns provider. The platform provides a Message Broker which handles communication between several different applications. Apache ActiveMQ supports many popular development languages including C/C++, Python, Java, and .NET. Apache ActiveMQ runs on a variety of platforms, including Windows, Linux and Solaris For more information, see the vendor's site at the following link: http://activemq.apache.org The vulnerability is due to a failure by the Message Broker to restrict directory traversals. As a result, sensitive locations outside the configured Message Broker restricted directory can be accessed by an attacker. No authentication is required to access the ActiveMQ Message Broker service. Analysis: Exploitation of this vulnerability could allow an attacker to gain control over the affected machine. By specifying a URL location with multiple directory traversal sequences such as "/\../\../\", it is possible for an attacker to access sensitive files hosted on the Message Broker Server using the privileges associated with the Message Broker process. An attacker may be able to read important system files, which will result in information disclosure, and can potentially lead to full host compromise. iDefense considers this vulnerability to be of MEDIUM severity because the vulnerability leads to information disclosure. Credit: AbdulAziz Hariri
        Hide
        Dejan Bosanac added a comment -

        I cannot reproduce this either on 5.2.0 or 5.3.x. If anyone succeed, please provide steps and version of the broker.

        Show
        Dejan Bosanac added a comment - I cannot reproduce this either on 5.2.0 or 5.3.x. If anyone succeed, please provide steps and version of the broker.
        Hide
        Dejan Bosanac added a comment -
        Show
        Dejan Bosanac added a comment - Analyzed in a separate issue https://issues.apache.org/activemq/browse/AMQ-2788

          People

          • Assignee:
            Dejan Bosanac
            Reporter:
            Veerendra G.G
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development