JAVA安全网JAVA安全网

生命不息,折腾不止。
--JAVA人自留地。

[CVE-2017-15709]Apache ActiveMQ Information Leak

2017年的第二个cve


问题原因:

Apache ActiveMQ默认消息队列61616端口对外,61616端口使用了OpenWire协议,这个端口会暴露服务器相关信息,这些相关信息实际上是debug信息。

会返回应用名称,JVM,操作系统以及内核版本等信息。
Apache-ActiveMQ_1.png
影响版本:

apache-activemq-5.15.0 to apache-activemq-5.15.2
apache-activemq-5.14.0 to apache-activemq-5.14.5
漏洞修复:
Apache-ActiveMQ_2.png
Apache-ActiveMQ_3.png
测试用例:

修复前:

@Test
-    public void testClientProperties() throws Exception{
-        BrokerService service = createBrokerService();
-        try {
-            ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(new URI(brokerUri));
-            ActiveMQConnection conn = (ActiveMQConnection)factory.createConnection();
-            final AtomicReference<WireFormatInfo> clientWf = new AtomicReference<WireFormatInfo>();
-            conn.addTransportListener(new DefaultTransportListener() {
-                @Override
-                public void onCommand(Object command) {
-                    if (command instanceof WireFormatInfo) {
-                        clientWf.set((WireFormatInfo)command);
-                    }
-                }
-            });
-            conn.start();
-            if (clientWf.get() == null) {
-                fail("Wire format info is null");
-            }
-            assertTrue(clientWf.get().getProperties().containsKey("ProviderName"));
-            assertTrue(clientWf.get().getProperties().containsKey("ProviderVersion"));
-            assertTrue(clientWf.get().getProperties().containsKey("PlatformDetails"));
-            assertTrue(clientWf.get().getProviderName().equals(ActiveMQConnectionMetaData.PROVIDER_NAME));
-            assertTrue(clientWf.get().getPlatformDetails().equals(ActiveMQConnectionMetaData.PLATFORM_DETAILS));
-        } finally {
-            stopBroker(service);

修复后:

+    public void testClientPropertiesWithDefaultPlatformDetails() throws Exception{
+        WireFormatInfo clientWf = testClientProperties(brokerUri);
+        assertTrue(clientWf.getPlatformDetails().equals(ActiveMQConnectionMetaData.DEFAULT_PLATFORM_DETAILS));
+    }
+
+    @Test
+    public void testClientPropertiesWithPlatformDetails() throws Exception{
+        WireFormatInfo clientWf = testClientProperties(brokerUri + "?wireFormat.includePlatformDetails=true");
+        assertTrue(clientWf.getPlatformDetails().equals(ActiveMQConnectionMetaData.PLATFORM_DETAILS));
+    }
+
+    private WireFormatInfo testClientProperties(String brokerUri) throws Exception {
+        ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(new URI(brokerUri));
+        ActiveMQConnection conn = (ActiveMQConnection)factory.createConnection();
+        conn.start();
+
+        assertTrue(connector.getConnections().size() == 1);
+        final WireFormatInfo clientWf = connector.getConnections().get(0).getRemoteWireFormatInfo();
+        if (clientWf == null) {
+            fail("Wire format info is null");
         }
+
+        //verify properties that the client sends to the broker
+        assertTrue(clientWf.getProperties().containsKey("ProviderName"));
+        assertTrue(clientWf.getProperties().containsKey("ProviderVersion"));
+        assertTrue(clientWf.getProperties().containsKey("PlatformDetails"));
+        assertTrue(clientWf.getProviderName().equals(ActiveMQConnectionMetaData.PROVIDER_NAME));
+
+        return clientWf;
     }

修复版本:

Apache Active MQ 5.14.6

Apache Active MQ 5.15.3

Apache Active MQ 5.16.0

官方公布的草案:

CVE-2017-15709 - Information Leak

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Apache ActiveMQ 5.14.0 - 5.15.2

Description:

When using the OpenWire protocol it was found that certain system details (such as the OS and kernel version) are exposed as plain text.

Mitigation:

Use a TLS enabled transport or upgrade to Apache ActiveMQ 5.14.6 or 5.15.3.  


Credit:

This issue was discovered by QingTeng cloud Security of Minded Security Researcher jianan.huang

参考信息:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15709

https://issues.apache.org/jira/browse/AMQ-6871

http://activemq.apache.org/security-advisories.html

http://activemq.apache.org/security-advisories.data/CVE-2017-15709-announcement.txt

未经允许不得转载:JAVA安全网 » [CVE-2017-15709]Apache ActiveMQ Information Leak

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址