Bug 955908 (CVE-2013-3060)

Summary: CVE-2013-3060 activemq: Unauthenticated access to web console
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bleanhar, ccoleman, djorm, dmcphers, grocha, jbpapp-maint, jialiu, jlieskov, lmeyer, rcvalle, soa-p-jira, tkramer, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-09 20:46:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 956950, 956951    
Bug Blocks: 955433, 958349    

Description Arun Babu Neelicattu 2013-04-24 04:23:25 UTC 
The web console in Apache ActiveMQ before 5.8.0 does not require authentication. Remote attackers could use this flaw to modify the state of the ActiveMQ environment, obtain sensitive information or cause a denial of service via HTTP requests.
Comment 1 David Jorm 2013-04-26 05:11:07 UTC 
External References:

(none)
Comment 3 David Jorm 2013-04-26 05:26:15 UTC 
Statement:

Fuse ESB Enterprise 7.1.0, Fuse MQ Enterprise 7.1.1, JBoss Fuse 6.0.0 and JBoss A-MQ 6.0.0 all contain the Apache ActiveMQ web console, but it is not deployed by default. The documentation for deploying the web console covers the configuration needed to ensure authentication is enabled, therefore these products are not affected by this flaw. In a future update to these products, the web console will be configured so that authentication is automatically enabled if the web console is deployed, eliminating the need to manually configure it.

A future update may address this flaw in Fuse Message Broker 5.5.1.
Comment 6 errata-xmlrpc 2013-07-09 17:57:58 UTC 
This issue has been addressed in following products:

  Fuse MQ Enterprise 7.1.0

Via RHSA-2013:1029 https://rhn.redhat.com/errata/RHSA-2013-1029.html
Comment 7 errata-xmlrpc 2013-09-09 16:57:06 UTC 
This issue has been addressed in following products:

  Fuse Message Broker 5.5.1

Via RHSA-2013:1221 https://rhn.redhat.com/errata/RHSA-2013-1221.html