1175013 – (CVE-2014-8110) CVE-2014-8110 Apache ActiveMQ: various flaws, XSS, XXE, LDAP wildcard interpretation

Bug 1175013 (CVE-2014-8110) - CVE-2014-8110 Apache ActiveMQ: various flaws, XSS, XXE, LDAP wildcard interpretation

Summary: CVE-2014-8110 Apache ActiveMQ: various flaws, XSS, XXE, LDAP wildcard interpr...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2014-8110
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1171373
TreeView+	depends on / blocked

Reported:	2014-12-17 00:19 UTC by Chess Hazlett
Modified:	2019-09-29 13:25 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-02-16 19:53:59 UTC
Embargoed:

Attachments	(Terms of Use)
description of vulns (5.82 KB, text/plain) 2014-12-18 21:37 UTC, Chess Hazlett	no flags	Details
AMQ XXE POC (2.73 KB, text/plain) 2014-12-18 21:38 UTC, Chess Hazlett	no flags	Details
View All

Description Chess Hazlett 2014-12-17 00:19:21 UTC

1. XSS: Due to improper user data output validation, several instances of cross-site scripting vulnerabilities were identified to be present in the web based administration console.

2. XXE: It is possible for a consumer dequeuing XML message(s) to specify an XPath based selector thus causing the broker to evaluate the expression and attempt to match it against the messages in the queue while also performing an XML external entity resolution.

3. LDAP Wildcard Interpretation: When LDAP authentication is enabled, it is possible for an attacker to supply a wildcard operator instead of a username, which will effectively allow him to brute force a password for an unknown but valid account as opposed to brute forcing a combination of username and password. Once a valid password is found, the attacker can successfully authenticate with LDAP and publish/subscribe to a queue.

Comment 1 Chess Hazlett 2014-12-18 21:37:27 UTC

Created attachment 970844 [details]
description of vulns

Comment 2 Chess Hazlett 2014-12-18 21:38:03 UTC

Created attachment 970845 [details]
AMQ XXE POC

Comment 3 Chess Hazlett 2015-02-16 19:53:59 UTC

Per discussion with Dejan Bosanac on IRC, no RH fuse products are affected by CVE-2014-8110; it was introduced by a community commit that was never backported. Closing the flaw.

Note You need to log in before you can comment on or make changes to this bug.