exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2013-1029-01

Red Hat Security Advisory 2013-1029-01
Posted Jul 10, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-1029-01 - Fuse MQ Enterprise, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications. This release of Fuse MQ Enterprise 7.1.0 roll up patch 1 is an update to Fuse MQ Enterprise 7.1.0 and includes bug fixes.

tags | advisory
systems | linux, redhat
advisories | CVE-2012-6092, CVE-2012-6551, CVE-2013-1879, CVE-2013-1880, CVE-2013-2035, CVE-2013-3060
SHA-256 | d49e98b69560ade66dc250b4e224a5e152fb3faf4decf17786576ec266c040d1

Red Hat Security Advisory 2013-1029-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Fuse MQ Enterprise 7.1.0 update
Advisory ID: RHSA-2013:1029-01
Product: Fuse Enterprise Middleware
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1029.html
Issue date: 2013-07-09
CVE Names: CVE-2012-6092 CVE-2012-6551 CVE-2013-1879
CVE-2013-1880 CVE-2013-2035 CVE-2013-3060
=====================================================================

1. Summary:

Fuse MQ Enterprise 7.1.0 roll up patch 1, which fixes multiple security
issues and various bugs, is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

2. Description:

Fuse MQ Enterprise, based on Apache ActiveMQ, is a standards compliant
messaging system that is tailored for use in mission critical applications.

This release of Fuse MQ Enterprise 7.1.0 roll up patch 1 is an update to
Fuse MQ Enterprise 7.1.0 and includes bug fixes. Refer to the readme file
included with the patch files for information about the bug fixes.

The following security issues are also fixed with this release:

It was found that, by default, the Apache ActiveMQ web console did not
require authentication. A remote attacker could use this flaw to modify the
state of the Apache ActiveMQ environment, obtain sensitive information, or
cause a denial of service. (CVE-2013-3060)

Multiple cross-site scripting (XSS) flaws were found in the Apache ActiveMQ
demo web applications. A remote attacker could use these flaws to inject
arbitrary web script or HTML on pages displayed by the demo web
applications. (CVE-2012-6092)

It was found that a sample Apache ActiveMQ application was deployed by
default. A remote attacker could use this flaw to send the sample
application requests, allowing them to consume all available broker
resources. (CVE-2012-6551)

A stored cross-site scripting (XSS) flaw was found in the way Apache
ActiveMQ handled cron jobs. A remote attacker could use this flaw to
perform an XSS attack against users viewing the scheduled.jsp page.
(CVE-2013-1879)

A reflected cross-site scripting (XSS) flaw was found in the
portfolioPublish servlet of the Apache ActiveMQ demo web applications. A
remote attacker could use this flaw to inject arbitrary web script or
HTML. (CVE-2013-1880)

Note: All of the above flaws only affected the distribution of Apache
ActiveMQ included in the extras directory of the Fuse MQ Enterprise
distribution. The Fuse MQ Enterprise product itself was not affected by any
of the above flaws.

The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp/ when the native libraries were bundled in a JAR file, and no
custom library path was specified. A local attacker could overwrite these
native libraries with malicious versions during the window between when
HawtJNI writes them and when they are executed. (CVE-2013-2035)

The CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat
Product Security Team.

All users of Fuse MQ Enterprise 7.1.0 as provided from the Red Hat Customer
Portal are advised to upgrade to Fuse MQ Enterprise 7.1.0 roll up patch 1.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (http://bugzilla.redhat.com/):

924446 - CVE-2013-1879 ActiveMQ: XSS vulnerability in scheduled.jsp
924447 - CVE-2013-1880 ActiveMQ: XSS vulnerability in portfolioPublish demo application
955906 - CVE-2012-6092 activemq: Multiple XSS flaws in web demos
955907 - CVE-2012-6551 activemq: DoS by resource consumption via HTTP requests to sample webapp
955908 - CVE-2013-3060 activemq: Unauthenticated access to web console
958618 - CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbitrary code execution

5. References:

https://www.redhat.com/security/data/cve/CVE-2012-6092.html
https://www.redhat.com/security/data/cve/CVE-2012-6551.html
https://www.redhat.com/security/data/cve/CVE-2013-1879.html
https://www.redhat.com/security/data/cve/CVE-2013-1880.html
https://www.redhat.com/security/data/cve/CVE-2013-2035.html
https://www.redhat.com/security/data/cve/CVE-2013-3060.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.mq.enterprise&downloadType=securityPatches&version=7.1.0

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFR3FAxXlSAg2UNWIIRAk3GAKCl5lKq02FkTzjEMpo3tJ8Xoy8IzgCgv6WI
O2Lf3I1h038va3APHQ765yQ=
=qG+d
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close