rhsa-2013_1221
Vulnerability from csaf_redhat
Published
2013-09-09 16:54
Modified
2024-11-22 07:05
Summary
Red Hat Security Advisory: Fuse Message Broker 5.5.1 security update

Notes

Topic
An update for the Apache ActiveMQ component of Fuse Message Broker 5.5.1 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
Details
Fuse Message Broker is a messaging platform based on Apache ActiveMQ that provides SOA infrastructure to connect processes across heterogeneous systems. It was found that, by default, the Apache ActiveMQ web console did not require authentication. A remote attacker could use this flaw to modify the state of the Apache ActiveMQ environment, obtain sensitive information, or cause a denial of service. (CVE-2013-3060) This update delivers a README file which describes how to manually configure an XML properties file to fix this flaw. Back up existing Fuse Message Broker configuration files before making changes.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for the Apache ActiveMQ component of Fuse Message Broker 5.5.1\nthat fixes one security issue is now available from the Red Hat Customer\nPortal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Fuse Message Broker is a messaging platform based on Apache ActiveMQ that\nprovides SOA infrastructure to connect processes across heterogeneous\nsystems.\n\nIt was found that, by default, the Apache ActiveMQ web console did not\nrequire authentication. A remote attacker could use this flaw to modify the\nstate of the Apache ActiveMQ environment, obtain sensitive information, or\ncause a denial of service. (CVE-2013-3060)\n\nThis update delivers a README file which describes how to manually\nconfigure an XML properties file to fix this flaw. Back up existing Fuse\nMessage Broker configuration files before making changes.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2013:1221",
        "url": "https://access.redhat.com/errata/RHSA-2013:1221"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.message.apache\u0026downloadType=securityPatches\u0026version=5.5.1-fuse-10",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.message.apache\u0026downloadType=securityPatches\u0026version=5.5.1-fuse-10"
      },
      {
        "category": "external",
        "summary": "955908",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=955908"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1221.json"
      }
    ],
    "title": "Red Hat Security Advisory: Fuse Message Broker 5.5.1 security update",
    "tracking": {
      "current_release_date": "2024-11-22T07:05:09+00:00",
      "generator": {
        "date": "2024-11-22T07:05:09+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2013:1221",
      "initial_release_date": "2013-09-09T16:54:00+00:00",
      "revision_history": [
        {
          "date": "2013-09-09T16:54:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2013-09-09T16:55:25+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T07:05:09+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Fuse Message Broker 5.5.1",
                "product": {
                  "name": "Fuse Message Broker 5.5.1",
                  "product_id": "Fuse Message Broker 5.5.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:fuse_message_broker:5.5.1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Fuse Enterprise Middleware"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2013-3060",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "discovery_date": "2013-04-23T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "955908"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "activemq: Unauthenticated access to web console",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Fuse ESB Enterprise 7.1.0, Fuse MQ Enterprise 7.1.1, JBoss Fuse 6.0.0 and JBoss A-MQ 6.0.0 all contain the Apache ActiveMQ web console, but it is not deployed by default. The documentation for deploying the web console covers the configuration needed to ensure authentication is enabled, therefore these products are not affected by this flaw. In a future update to these products, the web console will be configured so that authentication is automatically enabled if the web console is deployed, eliminating the need to manually configure it.\n\nA future update may address this flaw in Fuse Message Broker 5.5.1.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Fuse Message Broker 5.5.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-3060"
        },
        {
          "category": "external",
          "summary": "RHBZ#955908",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=955908"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-3060",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-3060"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-3060",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-3060"
        }
      ],
      "release_date": "2012-11-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2013-09-09T16:54:00+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Back up existing Fuse Message Broker\nconfiguration files before making changes.",
          "product_ids": [
            "Fuse Message Broker 5.5.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2013:1221"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "Fuse Message Broker 5.5.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "activemq: Unauthenticated access to web console"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.