[prev in list] [next in list] [prev in thread] [next in thread] 

List:       activemq-dev
Subject:    Re: NIST CVEs for ActiveMQ
From:       Gary Tully <gary.tully () gmail ! com>
Date:       2019-10-18 11:27:08
Message-ID: CAH+vQmM4+-H43q6mFMa+NCnNXmP5qiVaWKHZ818jtfD2iTEFTA () mail ! gmail ! com
[Download RAW message or body]

I don't think there is any need for code change, just a lack of
documentation or a reference to refer to the jolokia docs on how to
lock down jolokia.
https://jolokia.org/reference/html/security.html#security-policy-location

I have not looked into that in detail but my guess is it should be
possible to add that config.


On Fri, 18 Oct 2019 at 12:13, Colm O hEigeartaigh <coheigea@apache.org> wrote:
>
> Thanks Gary. OK so for 2 + 3, the issue is in Hawtio and not AMQ, so I will
> alert NIST about changing the CPE score for these issues so that we don't
> see CVEs appearing when scanning AMQ artifacts.
>
> Just to get a bit more clarity on your comment for point (1) - grepping the
> AMQ source for "jolokia.policyLocation" doesn't throw anything up. There is
> a reference in the Hawt IO source though for it (
> https://github.com/hawtio/hawtio/search?q=jolokia.policyLocation&unscoped_q=jolokia.policyLocation).
> Does this mean the issue was not fixed in AMQ?
>
> Colm.
>
> On Thu, Oct 17, 2019 at 2:32 PM Gary Tully <gary.tully@gmail.com> wrote:
>
> > for 2 and 3, the fix is in the http endpoint configuration for hawtio
> > for 1, configuring jolokia.policyLocation is all that is required.
> > that was not possible in earlier versions of A-MQ.
> >
> > I don't think any of the above are relevant to activemq 5.
> >
> >
> > On Thu, 17 Oct 2019 at 12:53, jb@nanthrax.net <jb@nanthrax.net> wrote:
> > >
> > >
> > > Hi Colm
> > >
> > > I will do a review as I'm preparing 5.16.0 and 5.15.11 releases.
> > >
> > > Thanks for the reminder.
> > >
> > > Regards
> > > JB
> > >
> > > On Thursday, October 17, 2019 13:52 CEST, Colm O hEigeartaigh <
> > coheigea@apache.org> wrote:
> > >  Hi,
> > >
> > > I previously posted this to the private list (last year), but I didn't
> > get
> > > any reply - so maybe I'll have more luck here :-)
> > >
> > > I'd like to clear up 3 ActiveMQ CVEs that are reported at NIST, which
> > have
> > > no "fix" version associated with them. Please give me some feedback on
> > the
> > > following:
> > >
> > > 1) https://nvd.nist.gov/vuln/detail/CVE-2015-5182 (
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1248809). The redhat bug is
> > > marked as "WONTFIX", so I'm not sure if this was accepted as a valid
> > issue
> > > or not?
> > >
> > > 2) https://nvd.nist.gov/vuln/detail/CVE-2015-5183. This is reported
> > against
> > > the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we
> > > don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing
> > to
> > > do with AMQ. Could someone confirm this? Was there any fix made to the
> > AMQ
> > > codebase for this issue?
> > >
> > > 3) https://nvd.nist.gov/vuln/detail/CVE-2015-5184. This is reported
> > against
> > > the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we
> > > don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing
> > to
> > > do with AMQ. Could someone confirm this? Was there any fix made to the
> > AMQ
> > > codebase for this issue?
> > >
> > > I can communicate the findings with NIST to update the CVEs if I get some
> > > feedback.
> > >
> > > Colm.
> > >
> > >
> > >
> >
[prev in list] [next in list] [prev in thread] [next in thread]