The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.
Weakness
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Activemq | Apache | * | 5.7.0 (including) |
| Activemq | Apache | 4.0 (including) | 4.0 (including) |
| Activemq | Apache | 4.0-m4 (including) | 4.0-m4 (including) |
| Activemq | Apache | 4.0-rc2 (including) | 4.0-rc2 (including) |
| Activemq | Apache | 4.0.1 (including) | 4.0.1 (including) |
| Activemq | Apache | 4.0.2 (including) | 4.0.2 (including) |
| Activemq | Apache | 4.1.0 (including) | 4.1.0 (including) |
| Activemq | Apache | 4.1.1 (including) | 4.1.1 (including) |
| Activemq | Apache | 5.0.0 (including) | 5.0.0 (including) |
| Activemq | Apache | 5.1.0 (including) | 5.1.0 (including) |
| Activemq | Apache | 5.2.0 (including) | 5.2.0 (including) |
| Activemq | Apache | 5.3.0 (including) | 5.3.0 (including) |
| Activemq | Apache | 5.3.1 (including) | 5.3.1 (including) |
| Activemq | Apache | 5.3.2 (including) | 5.3.2 (including) |
| Activemq | Apache | 5.4.0 (including) | 5.4.0 (including) |
| Activemq | Apache | 5.4.1 (including) | 5.4.1 (including) |
| Activemq | Apache | 5.4.2 (including) | 5.4.2 (including) |
| Activemq | Apache | 5.5.0 (including) | 5.5.0 (including) |
| Activemq | Apache | 5.5.1 (including) | 5.5.1 (including) |
| Activemq | Apache | 5.6.0 (including) | 5.6.0 (including) |
| Fuse Message Broker 5.5.1 | RedHat | * | |
| Fuse MQ Enterprise 7.1.0 | RedHat | * | |
| Activemq | Ubuntu | oneiric | * |
| Activemq | Ubuntu | quantal | * |
| Activemq | Ubuntu | raring | * |
| Activemq | Ubuntu | saucy | * |
| Activemq | Ubuntu | utopic | * |
| Activemq | Ubuntu | vivid | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/114.html
- https://cwe.mitre.org/data/definitions/115.html
- https://cwe.mitre.org/data/definitions/151.html
- https://cwe.mitre.org/data/definitions/194.html
- https://cwe.mitre.org/data/definitions/22.html
- https://cwe.mitre.org/data/definitions/57.html
- https://cwe.mitre.org/data/definitions/593.html
- https://cwe.mitre.org/data/definitions/633.html
- https://cwe.mitre.org/data/definitions/650.html
- https://cwe.mitre.org/data/definitions/94.html
References
- http://activemq.2283324.n4.nabble.com/DISCUSS-ActiveMQ-out-of-the-box-Should-not-include-the-demos-tc4658044.html
- http://activemq.apache.org/activemq-580-release.html
- http://rhn.redhat.com/errata/RHSA-2013-1029.html
- http://rhn.redhat.com/errata/RHSA-2013-1221.html
- http://www.securityfocus.com/bid/59402
- https://fisheye6.atlassian.com/changelog/activemq?cs=1404998
- https://issues.apache.org/jira/browse/AMQ-4124
- https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210\u0026version=12323282
- http://activemq.2283324.n4.nabble.com/DISCUSS-ActiveMQ-out-of-the-box-Should-not-include-the-demos-tc4658044.html
- http://activemq.apache.org/activemq-580-release.html
- http://rhn.redhat.com/errata/RHSA-2013-1029.html
- http://rhn.redhat.com/errata/RHSA-2013-1221.html
- http://www.securityfocus.com/bid/59402
- https://fisheye6.atlassian.com/changelog/activemq?cs=1404998
- https://issues.apache.org/jira/browse/AMQ-4124
- https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210\u0026version=12323282