Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 5.3.1, 5.3.2
    • Fix Version/s: 5.4.0
    • Component/s: None
    • Labels:
      None
    • Environment:

      Windows

      Description

      Due to vulnerability in Jetty's ResourceHandler (http://jira.codehaus.org/browse/JETTY-1004), ActiveMQ installations on Windows are prone to this vulnerability. For example you can see the README file by entering the following url: http://localhost:8161/\../\../README.txt

      This is solved by moving to 7.x Jetty version on trunk and upcoming 5.4.0 release.

      People affected with this issue should either upgrade manually to Jetty 6.1.17 or remove resource handler declaration by commenting out or deleting the following snippet from jetty.xml:

      <bean class="org.mortbay.jetty.handler.ContextHandler">
      <property name="contextPath" value="/"/>
      <property name="handler">
      <bean class="org.mortbay.jetty.handler.ResourceHandler">
      <property name="welcomeFiles">
      <list>
      <value>index.html</value>
      </list>
      </property>
      <property name="resourceBase" value="$

      {activemq.base}

      /webapps/static/"/>
      </bean>
      </property>
      </bean>

        Activity

        Dejan Bosanac created issue -
        Dejan Bosanac made changes -
        Field Original Value New Value
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Dejan Bosanac made changes -
        Description Due to vulnerability in Jetty's ResourceHandler (http://jira.codehaus.org/browse/JETTY-1004), ActiveMQ installations on Windows are prone to this vulnerability.

        This is solved by moving to 7.x Jetty version on trunk and upcoming 5.4.0 release.

        People affected with this issue should either upgrade manually to Jetty 6.1.17 or remove resource handler declaration by commenting out or deleting the following snippet from jetty.xml:

                           <bean class="org.mortbay.jetty.handler.ContextHandler">
                               <property name="contextPath" value="/"/>
                               <property name="handler">
                                   <bean class="org.mortbay.jetty.handler.ResourceHandler">
                                       <property name="welcomeFiles">
                                           <list>
                                               <value>index.html</value>
                                           </list>
                                       </property>
                                       <property name="resourceBase" value="${activemq.base}/webapps/static/"/>
                                   </bean>
                               </property>
                           </bean>
        Due to vulnerability in Jetty's ResourceHandler (http://jira.codehaus.org/browse/JETTY-1004), ActiveMQ installations on Windows are prone to this vulnerability. For example you can see the README file by entering the following url: http://localhost:8161/\../\../README.txt

        This is solved by moving to 7.x Jetty version on trunk and upcoming 5.4.0 release.

        People affected with this issue should either upgrade manually to Jetty 6.1.17 or remove resource handler declaration by commenting out or deleting the following snippet from jetty.xml:

                           <bean class="org.mortbay.jetty.handler.ContextHandler">
                               <property name="contextPath" value="/"/>
                               <property name="handler">
                                   <bean class="org.mortbay.jetty.handler.ResourceHandler">
                                       <property name="welcomeFiles">
                                           <list>
                                               <value>index.html</value>
                                           </list>
                                       </property>
                                       <property name="resourceBase" value="${activemq.base}/webapps/static/"/>
                                   </bean>
                               </property>
                           </bean>
        Jeff Turner made changes -
        Project Import Fri Nov 26 22:32:02 EST 2010 [ 1290828722158 ]

          People

          • Assignee:
            Dejan Bosanac
            Reporter:
            Dejan Bosanac
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development