1892384 – (CVE-2021-26118) CVE-2021-26118 AMQ Broker 7: OpenWire can create destinations with an unpriviledged user

Bug 1892384 (CVE-2021-26118) - CVE-2021-26118 AMQ Broker 7: OpenWire can create destinations with an unpriviledged user

Summary: CVE-2021-26118 AMQ Broker 7: OpenWire can create destinations with an unprivi...

Keywords:
Status:	NEW
Alias:	CVE-2021-26118
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1891127
TreeView+	depends on / blocked

Reported:	2020-10-28 15:31 UTC by Jonathan Christison
Modified:	2023-07-07 08:35 UTC (History)
CC List:	5 users (show)
Fixed In Version:	activemq-artemis-2.16.0 redhat-amq-7.8.0
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Jonathan Christison 2020-10-28 15:31:23 UTC

It was found that the AMQ 7 broker allows users using the OpenWire protocol to bypass usual permissions checks, this can allow an unprivileged user to create queues without verifying the role.

Comment 1 Jonathan Christison 2020-10-28 15:32:20 UTC

Acknowledgments:

Name: Francesco Marchioni (Red Hat)

Comment 2 Jonathan Christison 2021-01-27 11:52:20 UTC

Mitigation:

If you are not using the openwire protocol, it can be disabled by removing it from the list of accepted protocols in the `broker.xml`
```xml
<acceptor name="artemis">tcp://0.0.0.0:61616?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;amqpMinLargeMessageSize=102400;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;amqpDuplicateDetection=true</acceptor>
```

Note You need to log in before you can comment on or make changes to this bug.