Malware Devil

Loading...

Monday, March 8, 2021

ESB-2021.0807 – [Debian] activemq: Multiple vulnerabilities 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0807
                         activemq security update
                               8 March 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           activemq
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
                   Access Confidential Data       -- Remote/Unauthenticated
                   Unauthorised Access            -- Remote/Unauthenticated
                   Reduced Security               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-26117 CVE-2019-0222 CVE-2018-11775
                   CVE-2017-15709  

Reference:         ESB-2021.0381
                   ESB-2020.3485
                   ESB-2020.1030

Original Bulletin:
   https://www.debian.org/lts/security/2021/dla-2583

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2583-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Abhijith PA
March 05, 2021                                https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : activemq
Version        : 5.14.3-3+deb9u2
CVE ID         : CVE-2017-15709 CVE-2018-11775 CVE-2019-0222 
                 CVE-2021-26117
Debian Bug     : 890352 908950 982590

Multiple security issues were discovered in activemq, a message 
broker built around Java Message Service.

CVE-2017-15709

    When using the OpenWire protocol in activemq, it was found that 
    certain system details (such as the OS and kernel version) are 
    exposed as plain text.

CVE-2018-11775

    TLS hostname verification when using the Apache ActiveMQ Client 
    was missing which could make the client vulnerable to a MITM 
    attack between a Java application using the ActiveMQ client and 
    the ActiveMQ server. This is now enabled by default.

CVE-2019-0222

    Unmarshalling corrupt MQTT frame can lead to broker Out of Memory 
    exception making it unresponsive

CVE-2021-26117

    The optional ActiveMQ LDAP login module can be configured to use
    anonymous access to the LDAP server. The anonymous context is used 
    to verify a valid users password in error, resulting in no check 
    on the password.

For Debian 9 stretch, these problems have been fixed in version
5.14.3-3+deb9u2.

We recommend that you upgrade your activemq packages.

For the detailed security status of activemq please refer to
its security tracker page at:
Dehttps://security-tracker.debian.org/tracker/activemq

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmBCZOwACgkQhj1N8u2c
KO/k0g/8ClGG9rvRDmoOMkZT4yFBcerkt24teqJwVTxCqa+pJowiPxCG2jp/hd+t
Q9w2hgHcQRES5icQVA2lE3f3Kbe84EXo67upBQks2eXbNyX3H4MSI8z8rfS4xfUx
D+p0yBxPPDEglG9FBRJdWCBekjx/2GvONNyeQicUcb3VDqIJBxsgwt8Qsp+2XfAD
uX3ntPM7DWU8kefopTCSAJBHfXG89o9sz63YZBC8xQavnTJPAaj6C+VXiFW7gdar
GSZc7ck/s8ph7J0qdr1Eg7a/SVxBZIhJLDXHt3ZlVx5t7PldncpYtdiBgnhlUgPO
LReFSZAkdTCLN5S+YqTYgCGNTru0U+qIlvp1WbOf6IEqn2DckZemmiZyLa3NrA+f
pFLpq4p6Kr4xiUb3aqAzPLdYQsSrpnWwHxRhXkdd3nGyY+uqWgQHreBHVAbah/i3
QK08UWr5/OsfUz1hFZ1ZG2dUJ1xKQU3ZVHy2U9a9rvuAzzFnh3TjWswLYkhZHgJT
MoViXcSqpjBjGVLlUtKE9x4VFJosWLVd9fMi299Lij9yuz6hCoYSWh2jJVknLes1
Ihx8DyS/4GVLnu43FILD8qFKDxXUuaP8wHcCru/fSrGKtlHbIYYbksZ9kgCtq1MA
NrL/my6j8e9dUbt2ojzEozAlOeO2B0D1beb3V4GUV6bUMb4niYM=
=H+6j
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYEViOeNLKJtyKPYoAQjnWw//ZLp2ewQbVvQue/mVYuGlD0/yhW2pBt3S
miZw1lvmRF1R7FNYVuU4MeErfeIEV9qiDd5Hs9Jm9OzS6PW5wwpjxTm1GtRU0Lmy
vRBPibT2e3sK/QXeq7phoJYX/uiahSHjVBmIQBEA4S0Sc15ZIg7wFdStdrhA8dLA
0kxvfffa5J+Spyln9EKZfbab+vsiP3S6U70MtmFWCyd6aGEoLMNAMbq1rKqCm+Dd
9u+lS8Ev+heKKGR3t7S3U9Xv7SReigzmkRXDZ5EW1IUbDZaie4SjHI7lkmjbs1d6
r7xZviQASx3m2wmNk2PkIPjQ0WBuxgDWZPONIHV5N+Vucao3a0joJDNM8mLtT7ur
oBRquqmRk6fFl98Xc+j7DEFt7akw0VZRip8IXsSIsOkMKmCSNFjgD8f8MOuh+zQq
1qP8x3GzkuNGOae9qu4HP9TK0D7BYUNwA7uHIdrWRfcRqqulISi2KaszzeyqRemB
JRpLr1wtbR07oswLV2UV1bwHfIT+ePXDYX1eboz8BuB3kI5wDxNlxe90d/ifw12h
DLe800XnJZnfzeX1sdQEGsroYvXO5WCb1mIr67dq4B/RbB7FesrAs5dXAXroLR8y
jZWmPRANOYXoGAATfH3mwe1NfJJDKvRG38fC0NwiOrXZRBDYXaOpeFEHSObKwAxs
zRAIa+ddNL0=
=OYtM
-----END PGP SIGNATURE-----

Read More

The post ESB-2021.0807 – [Debian] activemq: Multiple vulnerabilities appeared first on Malware Devil.



https://malwaredevil.com/2021/03/08/esb-2021-0807-debian-activemq-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-0807-debian-activemq-multiple-vulnerabilities
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Barbary Pirates and Russian Cybercrime

In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...