ActiveMQ Path traversal leading to unauthenticated RCE

2015.08.20
Credit: David Jorm of IIX
Risk: High
Local: No
Remote: Yes
CVE: CVE-2015-1830
CWE: CWE-22


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

CVE-2015-1830 - Path traversal leading to unauthenticated RCE in ActiveMQ Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache ActiveMQ 5.0.0 - 5.11.1 Description: There is a directory traversal flaw in the fileserver upload/download functionality used for blob messages. The attacker can put a jsp file in the admin console and execute shell command from there. It’s only vulnerable in the Windows OS. Mitigation: Upgrade to Apache ActiveMQ 5.12.0 or 5.11.2. The workaround in case fileserver is not used and upgrade is not prefereable is to disable that functionality. It can be done by removing (commenting out) the following lines from conf\jetty.xml file <bean class="org.eclipse.jetty.webapp.WebAppContext"> <property name="contextPath" value="/fileserver" /> <property name="resourceBase" value="${activemq.home}/webapps/fileserver" /> <property name="logUrlOnStart" value="true" /> <property name="parentLoaderPriority" value="true" /> </bean> Credit: This issue was discovered by David Jorm from IIX Product Security

References:

http://www.securitytracker.com/id/1033315
http://activemq.apache.org/security-advisories.data/CVE-2015-1830-announcement.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top