Bug 1892384 (CVE-2021-26118) - CVE-2021-26118 AMQ Broker 7: OpenWire can create destinations with an unpriviledged user
Summary: CVE-2021-26118 AMQ Broker 7: OpenWire can create destinations with an unprivi...
Keywords:
Status: NEW
Alias: CVE-2021-26118
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1891127
TreeView+ depends on / blocked
 
Reported: 2020-10-28 15:31 UTC by Jonathan Christison
Modified: 2023-07-07 08:35 UTC (History)
5 users (show)

Fixed In Version: activemq-artemis-2.16.0 redhat-amq-7.8.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in AMQ 7 broker, where it allows users using the OpenWire protocol to bypass the usual permissions checks. This flaw allows an unprivileged user to create queues without verifying the role. The highest threat from this vulnerability is to integrity.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Jonathan Christison 2020-10-28 15:31:23 UTC 
It was found that the AMQ 7 broker allows users using the OpenWire protocol to bypass usual permissions checks, this can allow an unprivileged user to create queues without verifying the role.
Comment 1 Jonathan Christison 2020-10-28 15:32:20 UTC 
Acknowledgments:

Name: Francesco Marchioni (Red Hat)
Comment 2 Jonathan Christison 2021-01-27 11:52:20 UTC 
Mitigation:

If you are not using the openwire protocol, it can be disabled by removing it from the list of accepted protocols in the `broker.xml`
```xml
<acceptor name="artemis">tcp://0.0.0.0:61616?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;amqpMinLargeMessageSize=102400;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;amqpDuplicateDetection=true</acceptor>
```
Note You need to log in before you can comment on or make changes to this bug.