Bug 1249182 (CVE-2015-5183)

Summary: CVE-2015-5183 Console: HTTPOnly and Secure attributes not set on cookies in Red Hat AMQ
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ataylor, chazlett, deepak.panda, ganandan, jochrist, jwon, krathod, security-response-team, slong, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/ENTMQBR-3382
Whiteboard:
Fixed In Version: Red Hat AMQ 6.3.R9 Doc Type: Bug Fix
Doc Text:
It was found that Hawtio console does not set HTTPOnly or Secure attributes on cookies. An attacker could use this flaw to rerieve an authenticated user's SessionID, and possibly conduct further attacks with the permissions of the authenticated user.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-25 17:20:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1242522, 1939861    

Description Chess Hazlett 2015-07-31 18:23:07 UTC 
It was found that A-MQ's Hawtio console does not set HTTPOnly or Secure attributes on cookies. An attacker could use this flaw to rerieve an authenticated user's SessionID, and possibly conduct further attacks with the permissions of the authenticated user.
Comment 2 Chess Hazlett 2015-12-06 16:55:00 UTC 
Acknowledgements:

Red Hat would like to thank Naftali Rosenbaum of Comsec Consulting for reporting this issue.
Comment 3 deepak.panda 2018-06-14 05:47:18 UTC 
Is there any plans to resolve this issue?
Comment 4 errata-xmlrpc 2018-10-01 19:42:54 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:2840 https://access.redhat.com/errata/RHSA-2018:2840
Comment 7 Product Security DevOps Team 2020-06-25 17:20:23 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-5183
Comment 9 Chess Hazlett 2020-07-06 22:23:00 UTC 
Statement:

This flaw affects only the Red Hat AMQ Product, and does not impact Apache ActiveMQ.
Comment 11 errata-xmlrpc 2020-10-01 11:38:36 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ

Via RHSA-2020:4154 https://access.redhat.com/errata/RHSA-2020:4154
Comment 12 errata-xmlrpc 2020-12-08 08:55:45 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ

Via RHSA-2020:5365 https://access.redhat.com/errata/RHSA-2020:5365