NIST CVEs for ActiveMQ

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

NIST CVEs for ActiveMQ

Colm O hEigeartaigh
Hi,

I previously posted this to the private list (last year), but I didn't get
any reply - so maybe I'll have more luck here :-)

I'd like to clear up 3 ActiveMQ CVEs that are reported at NIST, which have
no "fix" version associated with them. Please give me some feedback on the
following:

1) https://nvd.nist.gov/vuln/detail/CVE-2015-5182 (
https://bugzilla.redhat.com/show_bug.cgi?id=1248809). The redhat bug is
marked as "WONTFIX", so I'm not sure if this was accepted as a valid issue
or not?

2) https://nvd.nist.gov/vuln/detail/CVE-2015-5183. This is reported against
the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we
don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing to
do with AMQ. Could someone confirm this? Was there any fix made to the AMQ
codebase for this issue?

3) https://nvd.nist.gov/vuln/detail/CVE-2015-5184. This is reported against
the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we
don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing to
do with AMQ. Could someone confirm this? Was there any fix made to the AMQ
codebase for this issue?

I can communicate the findings with NIST to update the CVEs if I get some
feedback.

Colm.
Reply | Threaded
Open this post in threaded view
|

Re: NIST CVEs for ActiveMQ

jbonofre

Hi Colm

I will do a review as I'm preparing 5.16.0 and 5.15.11 releases.

Thanks for the reminder.

Regards
JB

On Thursday, October 17, 2019 13:52 CEST, Colm O hEigeartaigh <[hidden email]> wrote:
 Hi,

I previously posted this to the private list (last year), but I didn't get
any reply - so maybe I'll have more luck here :-)

I'd like to clear up 3 ActiveMQ CVEs that are reported at NIST, which have
no "fix" version associated with them. Please give me some feedback on the
following:

1) https://nvd.nist.gov/vuln/detail/CVE-2015-5182 (
https://bugzilla.redhat.com/show_bug.cgi?id=1248809). The redhat bug is
marked as "WONTFIX", so I'm not sure if this was accepted as a valid issue
or not?

2) https://nvd.nist.gov/vuln/detail/CVE-2015-5183. This is reported against
the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we
don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing to
do with AMQ. Could someone confirm this? Was there any fix made to the AMQ
codebase for this issue?

3) https://nvd.nist.gov/vuln/detail/CVE-2015-5184. This is reported against
the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we
don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing to
do with AMQ. Could someone confirm this? Was there any fix made to the AMQ
codebase for this issue?

I can communicate the findings with NIST to update the CVEs if I get some
feedback.

Colm.


 
Reply | Threaded
Open this post in threaded view
|

Re: NIST CVEs for ActiveMQ

gtully
for 2 and 3, the fix is in the http endpoint configuration for hawtio
for 1, configuring jolokia.policyLocation is all that is required.
that was not possible in earlier versions of A-MQ.

I don't think any of the above are relevant to activemq 5.


On Thu, 17 Oct 2019 at 12:53, [hidden email] <[hidden email]> wrote:

>
>
> Hi Colm
>
> I will do a review as I'm preparing 5.16.0 and 5.15.11 releases.
>
> Thanks for the reminder.
>
> Regards
> JB
>
> On Thursday, October 17, 2019 13:52 CEST, Colm O hEigeartaigh <[hidden email]> wrote:
>  Hi,
>
> I previously posted this to the private list (last year), but I didn't get
> any reply - so maybe I'll have more luck here :-)
>
> I'd like to clear up 3 ActiveMQ CVEs that are reported at NIST, which have
> no "fix" version associated with them. Please give me some feedback on the
> following:
>
> 1) https://nvd.nist.gov/vuln/detail/CVE-2015-5182 (
> https://bugzilla.redhat.com/show_bug.cgi?id=1248809). The redhat bug is
> marked as "WONTFIX", so I'm not sure if this was accepted as a valid issue
> or not?
>
> 2) https://nvd.nist.gov/vuln/detail/CVE-2015-5183. This is reported against
> the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we
> don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing to
> do with AMQ. Could someone confirm this? Was there any fix made to the AMQ
> codebase for this issue?
>
> 3) https://nvd.nist.gov/vuln/detail/CVE-2015-5184. This is reported against
> the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we
> don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing to
> do with AMQ. Could someone confirm this? Was there any fix made to the AMQ
> codebase for this issue?
>
> I can communicate the findings with NIST to update the CVEs if I get some
> feedback.
>
> Colm.
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: NIST CVEs for ActiveMQ

Colm O hEigeartaigh
Thanks Gary. OK so for 2 + 3, the issue is in Hawtio and not AMQ, so I will
alert NIST about changing the CPE score for these issues so that we don't
see CVEs appearing when scanning AMQ artifacts.

Just to get a bit more clarity on your comment for point (1) - grepping the
AMQ source for "jolokia.policyLocation" doesn't throw anything up. There is
a reference in the Hawt IO source though for it (
https://github.com/hawtio/hawtio/search?q=jolokia.policyLocation&unscoped_q=jolokia.policyLocation).
Does this mean the issue was not fixed in AMQ?

Colm.

On Thu, Oct 17, 2019 at 2:32 PM Gary Tully <[hidden email]> wrote:

> for 2 and 3, the fix is in the http endpoint configuration for hawtio
> for 1, configuring jolokia.policyLocation is all that is required.
> that was not possible in earlier versions of A-MQ.
>
> I don't think any of the above are relevant to activemq 5.
>
>
> On Thu, 17 Oct 2019 at 12:53, [hidden email] <[hidden email]> wrote:
> >
> >
> > Hi Colm
> >
> > I will do a review as I'm preparing 5.16.0 and 5.15.11 releases.
> >
> > Thanks for the reminder.
> >
> > Regards
> > JB
> >
> > On Thursday, October 17, 2019 13:52 CEST, Colm O hEigeartaigh <
> [hidden email]> wrote:
> >  Hi,
> >
> > I previously posted this to the private list (last year), but I didn't
> get
> > any reply - so maybe I'll have more luck here :-)
> >
> > I'd like to clear up 3 ActiveMQ CVEs that are reported at NIST, which
> have
> > no "fix" version associated with them. Please give me some feedback on
> the
> > following:
> >
> > 1) https://nvd.nist.gov/vuln/detail/CVE-2015-5182 (
> > https://bugzilla.redhat.com/show_bug.cgi?id=1248809). The redhat bug is
> > marked as "WONTFIX", so I'm not sure if this was accepted as a valid
> issue
> > or not?
> >
> > 2) https://nvd.nist.gov/vuln/detail/CVE-2015-5183. This is reported
> against
> > the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we
> > don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing
> to
> > do with AMQ. Could someone confirm this? Was there any fix made to the
> AMQ
> > codebase for this issue?
> >
> > 3) https://nvd.nist.gov/vuln/detail/CVE-2015-5184. This is reported
> against
> > the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we
> > don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing
> to
> > do with AMQ. Could someone confirm this? Was there any fix made to the
> AMQ
> > codebase for this issue?
> >
> > I can communicate the findings with NIST to update the CVEs if I get some
> > feedback.
> >
> > Colm.
> >
> >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: NIST CVEs for ActiveMQ

gtully
I don't think there is any need for code change, just a lack of
documentation or a reference to refer to the jolokia docs on how to
lock down jolokia.
https://jolokia.org/reference/html/security.html#security-policy-location

I have not looked into that in detail but my guess is it should be
possible to add that config.


On Fri, 18 Oct 2019 at 12:13, Colm O hEigeartaigh <[hidden email]> wrote:

>
> Thanks Gary. OK so for 2 + 3, the issue is in Hawtio and not AMQ, so I will
> alert NIST about changing the CPE score for these issues so that we don't
> see CVEs appearing when scanning AMQ artifacts.
>
> Just to get a bit more clarity on your comment for point (1) - grepping the
> AMQ source for "jolokia.policyLocation" doesn't throw anything up. There is
> a reference in the Hawt IO source though for it (
> https://github.com/hawtio/hawtio/search?q=jolokia.policyLocation&unscoped_q=jolokia.policyLocation).
> Does this mean the issue was not fixed in AMQ?
>
> Colm.
>
> On Thu, Oct 17, 2019 at 2:32 PM Gary Tully <[hidden email]> wrote:
>
> > for 2 and 3, the fix is in the http endpoint configuration for hawtio
> > for 1, configuring jolokia.policyLocation is all that is required.
> > that was not possible in earlier versions of A-MQ.
> >
> > I don't think any of the above are relevant to activemq 5.
> >
> >
> > On Thu, 17 Oct 2019 at 12:53, [hidden email] <[hidden email]> wrote:
> > >
> > >
> > > Hi Colm
> > >
> > > I will do a review as I'm preparing 5.16.0 and 5.15.11 releases.
> > >
> > > Thanks for the reminder.
> > >
> > > Regards
> > > JB
> > >
> > > On Thursday, October 17, 2019 13:52 CEST, Colm O hEigeartaigh <
> > [hidden email]> wrote:
> > >  Hi,
> > >
> > > I previously posted this to the private list (last year), but I didn't
> > get
> > > any reply - so maybe I'll have more luck here :-)
> > >
> > > I'd like to clear up 3 ActiveMQ CVEs that are reported at NIST, which
> > have
> > > no "fix" version associated with them. Please give me some feedback on
> > the
> > > following:
> > >
> > > 1) https://nvd.nist.gov/vuln/detail/CVE-2015-5182 (
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1248809). The redhat bug is
> > > marked as "WONTFIX", so I'm not sure if this was accepted as a valid
> > issue
> > > or not?
> > >
> > > 2) https://nvd.nist.gov/vuln/detail/CVE-2015-5183. This is reported
> > against
> > > the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we
> > > don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing
> > to
> > > do with AMQ. Could someone confirm this? Was there any fix made to the
> > AMQ
> > > codebase for this issue?
> > >
> > > 3) https://nvd.nist.gov/vuln/detail/CVE-2015-5184. This is reported
> > against
> > > the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we
> > > don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing
> > to
> > > do with AMQ. Could someone confirm this? Was there any fix made to the
> > AMQ
> > > codebase for this issue?
> > >
> > > I can communicate the findings with NIST to update the CVEs if I get some
> > > feedback.
> > >
> > > Colm.
> > >
> > >
> > >
> >