Uploaded image for project: 'ActiveMQ'
  1. ActiveMQ
  2. AMQ-5745

Code analysis revealed multiple vulnerable sections of code

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.9.0
    • Fix Version/s: 5.12.0
    • Component/s: None
    • Labels:
      None
    • Patch Info:
      Patch Available

      Description

      Code analysis revealed multiple vulnerable sections of code in ActiveMQ 5.9.0. A patch file is attached that address the issues below.

      activemq-web/src/main/resources/org/apache/activemq/web/prototype.js:700,706

      This code uses the "eval()" function to evaluate JSON code – this method is deprecated and dangerous and has been replaced by the JSON.parse() method, which is supported in all modern browsers – considering that less than 2% of modern computers are still using legacy browsers, we believe the code should be upgraded to use the more secure method

      activemq-broker/src/main/java/org/apache/activemq/broker/BrokerService.java:248
      activemq-broker/src/main/java/org/apache/activemq/broker/PropertiesBrokerFactory.java:59
      activemq-broker/src/main/java/org/apache/activemq/util/IOHelper.java:257,259
      activemq-client/src/main/java/org/apache/activemq/ActiveMQSslConnectionFactory.java:130,162
      activemq-client/src/main/java/org/apache/activemq/blob/DefaultBlobUploadStrategy.java:43,58
      activemq-client/src/main/java/org/apache/activemq/blob/FTPBlobUploadStrategy.java:41
      activemq-client/src/main/java/org/apache/activemq/blob/FileSystemBlobStrategy.java:68,77
      activemq-console/src/main/java/org/apache/activemq/console/command/CreateCommand.java:194,218,219
      activemq-fileserver/src/main/java/org/apache/activemq/util/IOHelper.java:102,104
      activemq-jaas/src/main/java/org/apache/activemq/jaas/TextFileCertificateLoginModule.java:92,127
      activemq-jdbc-store/src/main/java/org/apache/activemq/store/jdbc/adapter/BlobJDBCAdapter.java:142
      activemq-jdbc-store/src/main/java/org/apache/activemq/store/jdbc/adapter/StreamJDBCAdapter.java:51
      activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/page/PageFile.java:198
      activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/util/DiskBenchmark.java:214,246,270
      activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/ProtocolConverter.java:68
      activemq-tooling/activemq-perf-maven-plugin/src/main/java/org/apache/activemq/tool/AbstractJmsClientSystem.java:266
      activemq-web/src/main/java/org/apache/activemq/web/AjaxServlet.java:67
      activemq-tooling/activemq-perf-maven-plugin/src/main/java/org/apache/activemq/tool/JmsProducerClient.java:356
      activemq-tooling/activemq-perf-maven-plugin/src/main/java/org/apache/activemq/tool/reports/XmlFilePerfReportWriter.java:198

      Resource leaks are possible at these code locations (the patched code releases the resources within a finally() statement)

      activemq-broker/src/main/java/org/apache/activemq/broker/jmx/DestinationView.java:330
      activemq-client/src/main/java/org/apache/activemq/ActiveMQConnectionFactory.java:283,290
      activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/journal/CallerBufferingDataFileAppender.java:182
      activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/journal/DataFileAppender.java:391
      activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/journal/Journal.java:568

      NULL dereferences are possible at these code locations

      activemq-broker/src/main/java/org/apache/activemq/transport/vm/VMTransport.java:269

      Double-locking of this form is vulnerable to race conditions

      activemq-http/src/main/java/org/apache/activemq/transport/http/HttpTunnelServlet.java:196,236
      activemq-web/src/main/java/org/apache/activemq/web/MessageServlet.java:278,284

      XSS reflection is possible at these code locations (an XSS filter should be added)

      activemq-fileserver/src/main/java/org/apache/activemq/util/RestFilter.java:72

      Path manipulation is possible via ".." directory traversal

      activemq-client/src/main/java/org/apache/activemq/thread/PooledTaskRunner.java:141

      A return statement inside a finally block will cause any exception that might be thrown in the try or catch block to be discarded.

      activemq-log4j-appender/src/main/java/org/apache/activemq/util/JmsLogAppender.java:68

      Recording passwords to a logfile in plaintext is inadvisable

        Attachments

        1. activemq.patch
          49 kB
          Int3

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              int3solutions Int3
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: