Bug 1175013 (CVE-2014-8110)

Summary: CVE-2014-8110 Apache ActiveMQ: various flaws, XSS, XXE, LDAP wildcard interpretation
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-16 19:53:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1171373    
Attachments:
Description Flags
description of vulns
none
AMQ XXE POC none

Description Chess Hazlett 2014-12-17 00:19:21 UTC 
1. XSS: Due to improper user data output validation, several instances of cross-site scripting vulnerabilities were identified to be present in the web based administration console.

2. XXE: It is possible for a consumer dequeuing XML message(s) to specify an XPath based selector thus causing the broker to evaluate the expression and attempt to match it against the messages in the queue while also performing an XML external entity resolution.

3. LDAP Wildcard Interpretation: When LDAP authentication is enabled, it is possible for an attacker to supply a wildcard operator instead of a username, which will effectively allow him to brute force a password for an unknown but valid account as opposed to brute forcing a combination of username and password. Once a valid password is found, the attacker can successfully authenticate with LDAP and publish/subscribe to a queue.
Comment 1 Chess Hazlett 2014-12-18 21:37:27 UTC 
Created attachment 970844 [details]
description of vulns
Comment 2 Chess Hazlett 2014-12-18 21:38:03 UTC 
Created attachment 970845 [details]
AMQ XXE POC
Comment 3 Chess Hazlett 2015-02-16 19:53:59 UTC 
Per discussion with Dejan Bosanac on IRC, no RH fuse products are affected by CVE-2014-8110; it was introduced by a community commit that was never backported. Closing the flaw.