The web console in Apache ActiveMQ before 5.8.0 does not require authentication. Remote attackers could use this flaw to modify the state of the ActiveMQ environment, obtain sensitive information or cause a denial of service via HTTP requests.
External References: (none)
Statement: Fuse ESB Enterprise 7.1.0, Fuse MQ Enterprise 7.1.1, JBoss Fuse 6.0.0 and JBoss A-MQ 6.0.0 all contain the Apache ActiveMQ web console, but it is not deployed by default. The documentation for deploying the web console covers the configuration needed to ensure authentication is enabled, therefore these products are not affected by this flaw. In a future update to these products, the web console will be configured so that authentication is automatically enabled if the web console is deployed, eliminating the need to manually configure it. A future update may address this flaw in Fuse Message Broker 5.5.1.
This issue has been addressed in following products: Fuse MQ Enterprise 7.1.0 Via RHSA-2013:1029 https://rhn.redhat.com/errata/RHSA-2013-1029.html
This issue has been addressed in following products: Fuse Message Broker 5.5.1 Via RHSA-2013:1221 https://rhn.redhat.com/errata/RHSA-2013-1221.html