Currently it is known that the following browsers can be used for a successful attack:
* Chrome prior to version 76
* Firefox prior to version 61
* Opera Browser prior to version 68
more details in the task bug
Name: Jeremy Choi (Red Hat)
This issue has been addressed in the following products:
Red Hat AMQ Online 1.5.2 GA
Via RHSA-2020:3209 https://access.redhat.com/errata/RHSA-2020:3209
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
A word on scoring, our scoring is currently 5.9/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H and NVD of 8.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Network (AV:N) -
Agree here, Although the attack requires user interaction eg. spear phishing the attack vector is Network as this attack does not require the attacker to have a presence on the private openshift network and the service itself is tied to the network stack.
Attack Complexity Low (AC:L) -> Attack Complexity High (AC:H):
We disagree with the scoring of a low attack complexity, we believe there are elements of the attack that depend on conditions beyond the attackers control -
Although we address user interaction in a separate section its worth mentioning that in order for the victims browser to make the POST requests without preflight checks there must be a method for the attacker to do this, we highlight one such example of older browsers with Flash, This means there are two main prequisites for the attack and depending on the request a third element outside the attackers control.
*) Outdated or un-patched browser
*) 3rd party plugin such as Adobe flash
*) As this is a blind attack relying on POST requests some API endpoints will require information the attacker will not posses such as namespace IDs or requesting user ID.
We do not believe an attacker can rely on either of these elements to be true.
Privileges Required None (PR:N) -
Agree here, the attacker does not need to be a privileged user eg. no login required to exploit the base flaw, the attack relies on a privileged user to make the requests for the attacker.
User Interaction None (UI:R)
Agree here, the attack would rely on a privileged user visiting resources an attacker controls ie. by a phishing attack
Scope Unchanged (S:U)
Agree here, the attacker will not be able to escape the scope of the targeted user
Confidentiality High (C:H) -> Confidentiality None (C:N)
We disagree with the scoring of high impact of confidentiality, this attack relies on targeted users sending POST requests at the attackers behest, the attacker can expect the API calls to be carried out but they will not get a response (it is a blind attack), as the user management of this application is not part of the vulnerable API an attacker would not for example be able to change a password and gain access to information and we cannot see any other information disclosure being possible.
*) The http method must be unsafe (POST,PUT,DELETE etc)
Integrity High (I:H) -> Integrity Low (I:L)
We disagree with the scoring of high impact upon integrity, the attacker does not have the ability to modify any and all data, though we address this under attack complexity there are elements to the POST request that require information about the system structure that the attacker will not have access to, for example deleting address spaces in AMQ Online would for example require the attacker have knowledge of the namespace's name, this means only some of the data they have access to is amenable
Availability High (A:H)
Agree here, if the attacker is able to overcome previously mentioned caveats they can potentially permanently delete resources and thus deny others users access to them