It was found that A-MQ's Hawtio console does not set HTTPOnly or Secure attributes on cookies. An attacker could use this flaw to rerieve an authenticated user's SessionID, and possibly conduct further attacks with the permissions of the authenticated user.
Acknowledgements: Red Hat would like to thank Naftali Rosenbaum of Comsec Consulting for reporting this issue.
Is there any plans to resolve this issue?
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2018:2840 https://access.redhat.com/errata/RHSA-2018:2840
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2015-5183
Statement: This flaw affects only the Red Hat AMQ Product, and does not impact Apache ActiveMQ.
This issue has been addressed in the following products: Red Hat AMQ Via RHSA-2020:4154 https://access.redhat.com/errata/RHSA-2020:4154
This issue has been addressed in the following products: Red Hat AMQ Via RHSA-2020:5365 https://access.redhat.com/errata/RHSA-2020:5365