Operating System:

[WIN][UNIX/Linux][RedHat]

Published:

10 July 2013

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ESB-2013.0951 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0951
                Important: Fuse MQ Enterprise 7.1.0 update
                               10 July 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Fuse MQ Enterprise
Publisher:         Red Hat
Operating System:  Red Hat
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Overwrite Arbitrary Files -- Existing Account            
                   Denial of Service         -- Remote/Unauthenticated      
                   Cross-site Scripting      -- Remote with User Interaction
                   Access Confidential Data  -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-3060 CVE-2013-2035 CVE-2013-1880
                   CVE-2013-1879 CVE-2012-6551 CVE-2012-6092

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2013-1029.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Fuse MQ Enterprise 7.1.0 update
Advisory ID:       RHSA-2013:1029-01
Product:           Fuse Enterprise Middleware
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2013-1029.html
Issue date:        2013-07-09
CVE Names:         CVE-2012-6092 CVE-2012-6551 CVE-2013-1879 
                   CVE-2013-1880 CVE-2013-2035 CVE-2013-3060 
=====================================================================

1. Summary:

Fuse MQ Enterprise 7.1.0 roll up patch 1, which fixes multiple security
issues and various bugs, is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

2. Description:

Fuse MQ Enterprise, based on Apache ActiveMQ, is a standards compliant
messaging system that is tailored for use in mission critical applications.

This release of Fuse MQ Enterprise 7.1.0 roll up patch 1 is an update to
Fuse MQ Enterprise 7.1.0 and includes bug fixes. Refer to the readme file
included with the patch files for information about the bug fixes.

The following security issues are also fixed with this release:

It was found that, by default, the Apache ActiveMQ web console did not
require authentication. A remote attacker could use this flaw to modify the
state of the Apache ActiveMQ environment, obtain sensitive information, or
cause a denial of service. (CVE-2013-3060)

Multiple cross-site scripting (XSS) flaws were found in the Apache ActiveMQ
demo web applications. A remote attacker could use these flaws to inject
arbitrary web script or HTML on pages displayed by the demo web
applications. (CVE-2012-6092)

It was found that a sample Apache ActiveMQ application was deployed by
default. A remote attacker could use this flaw to send the sample
application requests, allowing them to consume all available broker
resources. (CVE-2012-6551)

A stored cross-site scripting (XSS) flaw was found in the way Apache
ActiveMQ handled cron jobs. A remote attacker could use this flaw to
perform an XSS attack against users viewing the scheduled.jsp page.
(CVE-2013-1879)

A reflected cross-site scripting (XSS) flaw was found in the
portfolioPublish servlet of the Apache ActiveMQ demo web applications. A
remote attacker could use this flaw to inject arbitrary web script or
HTML. (CVE-2013-1880)

Note: All of the above flaws only affected the distribution of Apache
ActiveMQ included in the extras directory of the Fuse MQ Enterprise
distribution. The Fuse MQ Enterprise product itself was not affected by any
of the above flaws.

The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp/ when the native libraries were bundled in a JAR file, and no
custom library path was specified. A local attacker could overwrite these
native libraries with malicious versions during the window between when
HawtJNI writes them and when they are executed. (CVE-2013-2035)

The CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat
Product Security Team.

All users of Fuse MQ Enterprise 7.1.0 as provided from the Red Hat Customer
Portal are advised to upgrade to Fuse MQ Enterprise 7.1.0 roll up patch 1.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (http://bugzilla.redhat.com/):

924446 - CVE-2013-1879 ActiveMQ: XSS vulnerability in scheduled.jsp
924447 - CVE-2013-1880 ActiveMQ: XSS vulnerability in portfolioPublish demo application
955906 - CVE-2012-6092 activemq: Multiple XSS flaws in web demos
955907 - CVE-2012-6551 activemq: DoS by resource consumption via HTTP requests to sample webapp
955908 - CVE-2013-3060 activemq: Unauthenticated access to web console
958618 - CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbitrary code execution

5. References:

https://www.redhat.com/security/data/cve/CVE-2012-6092.html
https://www.redhat.com/security/data/cve/CVE-2012-6551.html
https://www.redhat.com/security/data/cve/CVE-2013-1879.html
https://www.redhat.com/security/data/cve/CVE-2013-1880.html
https://www.redhat.com/security/data/cve/CVE-2013-2035.html
https://www.redhat.com/security/data/cve/CVE-2013-3060.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.mq.enterprise&downloadType=securityPatches&version=7.1.0

6. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFR3FAxXlSAg2UNWIIRAk3GAKCl5lKq02FkTzjEMpo3tJ8Xoy8IzgCgv6WI
O2Lf3I1h038va3APHQ765yQ=
=qG+d
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUdzhVxLndAQH1ShLAQIjixAAk8FkB7D7PO3Z/P0m2xviQK81xKM1FRx6
p0o4Mjy8WcgqPZ5BTZaxX/eS4Hutc11Lc3lXqvPfxDiRK2pIKQMf50ptKsiHm+jV
gdapa3iXvMXOGAOAh4OvktTfKXtICp7zAWwdTsZJXMU1cljT5XqR/M2jHNTmJE4a
G7wLuRsCcdMsL/9f4ZyHPdFLiagcL/BxsjF+nduAke2j3AOvWl/mGKxiJfcGM8V8
dWAllx1UclsLR4aIq4IhiHsecMcoUtpdO6rI6TwwjiawEWpm/me/JNKmcGDdrBiF
Mc/QD7Qj4OdXRUJOKwGBbEhYPcYuYOeeqzB3WEml26oCjN2Len2FVMxsE606z3sK
42w7NUBYGJO/TYc8v/iaf1p2tsmRW+13LjQF11JOozNdtWbr7L3H+cVFwkVC1UwW
n2lWdclPliD2lD8ksFiUhkhCUEBr16ne3NPDuiV4uFY5/og1G2XuRIm+Zm0s5Q0w
N7kt16vN5cD359MUhN4Sx91Ld4CE6EtbzMtmw0VQ1RiMEiV848GJ0W+0AUG3PMhG
rqNk+x5vncsCH1yVC69HgRW6+SGi2LR2BpgPDtCmGpTY/Qi1pwKb6Q0dRuIiAI5t
wupsiYgbB5zyWD8/lACnrxlhGBOFCKdDPeJCoSV76VO+o3hWbgcGHjOEXAcDmbea
iYfRyFjmWSU=
=k9xo
-----END PGP SIGNATURE-----