Author: buildbot
Date: Mon May 23 17:22:13 2016
New Revision: 988958
Log:
Production update by buildbot for activemq
Added:
websites/production/activemq/content/security-advisories.data/CVE-2016-3088-announcement.txt
Modified:
websites/production/activemq/content/cache/main.pageCache
websites/production/activemq/content/security-advisories.html
Modified: websites/production/activemq/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Added:
websites/production/activemq/content/security-advisories.data/CVE-2016-3088-announcement.txt
==============================================================================
---
websites/production/activemq/content/security-advisories.data/CVE-2016-3088-announcement.txt
(added)
+++
websites/production/activemq/content/security-advisories.data/CVE-2016-3088-announcement.txt
Mon May 23 17:22:13 2016
@@ -0,0 +1,26 @@
+CVE-2016-3088 - ActiveMQ Fileserver web application vulnerabilities
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Apache ActiveMQ 5.0.0 - 5.13.2
+
+Description:
+
+Multiple vulnerabilities have been identified in the Apache ActiveMQ
Fileserver web application. These are similar to those reported in
CVE-2015-1830 and can allow attackers to replace web application files with
malicious code and perform remote code execution on the system.
+
+Mitigation:
+
+Fileserver feature will be completely removed starting with 5.14.0 release.
Users are advised to use other FTP and HTTP based file servers for transferring
blob messages. Fileserver web application SHOULD NOT be used in older version
of the broker and it should be disabled (it has been disabled by default since
5.12.0). This can be done by removing (commenting out) the following lines from
conf\jetty.xml file
+
+<bean class="org.eclipse.jetty.webapp.WebAppContext">
+ <property name="contextPath" value="/fileserver" />
+ <property name="resourceBase" value="${activemq.home}/webapps/fileserver"
/>
+ <property name="logUrlOnStart" value="true" />
+ <property name="parentLoaderPriority" value="true" />
+</bean>
+
+Credit:
+This issue was discovered by separated reports of Simon Zuckerbraun and Andrea
Micalizzi (rgod) of Trend Micro Zero Day Initiative
\ No newline at end of file
Modified: websites/production/activemq/content/security-advisories.html
==============================================================================
--- websites/production/activemq/content/security-advisories.html (original)
+++ websites/production/activemq/content/security-advisories.html Mon May 23
17:22:13 2016
@@ -72,7 +72,7 @@
<tbody>
<tr>
<td valign="top" width="100%">
-<div class="wiki-content maincontent"><h2
id="SecurityAdvisories-ApacheActiveMQ">Apache ActiveMQ</h2><h3
id="SecurityAdvisories-2016">2016</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2016-0734-announcement.txt?version=1&modificationDate=1457613666000&api=v2"
data-linked-resource-id="62687061" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2016-0734-announcement.txt"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957"
data-linked-resource-container-version="9">CVE-2016-0734</a> - ActiveMQ
Web Console - Clickjacking</li><li><a shape="rect"
href="security-advisories.data/CVE-2016-0782-announcement.txt?version=1&modificationDate=1457613720014&api=v2"
data-linked-resource-id="62687062" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2016-0782-announce
ment.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957"
data-linked-resource-container-version="9">CVE-2016-0782</a> - ActiveMQ
Web Console - Cross-Site Scripting</li></ul><h3
id="SecurityAdvisories-2015">2015</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2015-5254-announcement.txt?version=1&modificationDate=1449589734000&api=v2"
data-linked-resource-id="61331741" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-5254-announcement.txt"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957"
data-linked-resource-container-version="9">CVE-2015-5254</a> - Unsafe
deserialization in ActiveMQ</li><li><a shape="rect"
href="security-advisories.data/CVE-2015-1830-announcement.txt?version=2&modificationDate=1440426986000&api=v2"
data-linked-resou
rce-id="61313840" data-linked-resource-version="2"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-1830-announcement.txt"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957"
data-linked-resource-container-version="9">CVE-2015-1830</a> - Path traversal
leading to unauthenticated RCE in ActiveMQ </li></ul><h3
id="SecurityAdvisories-2014">2014</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2014-3576-announcement.txt?version=1&modificationDate=1446901063000&api=v2"
data-linked-resource-id="61327457" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3576-announcement.txt"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957"
data-linked-resource-container-version="9">CVE-2014-3576</a> - Remote
Unauthenticated Shutdown of Br
oker (DoS)</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-3600-announcement.txt?version=2&modificationDate=1423051306000&api=v2"
data-linked-resource-id="52035730" data-linked-resource-version="2"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3600-announcement.txt"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957"
data-linked-resource-container-version="9">CVE-2014-3600</a> - Apache
ActiveMQ XXE with XPath selectors</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-3612-announcement.txt?version=2&modificationDate=1423051365000&api=v2"
data-linked-resource-id="52035731" data-linked-resource-version="2"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3612-announcement.txt"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957
" data-linked-resource-container-version="9">CVE-2014-3612</a> - ActiveMQ
JAAS: LDAPLoginModule allows empty password authentication and Wildcard
Interpretation</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-8110-announcement.txt?version=2&modificationDate=1423051381000&api=v2"
data-linked-resource-id="52035732" data-linked-resource-version="2"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-8110-announcement.txt"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957"
data-linked-resource-container-version="9">CVE-2014-8110</a> - <span
style="line-height: 1.4285715;">ActiveMQ Web Console - Cross-Site
Scripting</span><span style="line-height: 1.4285715;"><br
clear="none"></span></li></ul><h2 id="SecurityAdvisories-ActiveMQApollo"><span
style="line-height: 1.4285715;">ActiveMQ Apollo</span></h2><h3
id="SecurityAdvisories-2014.1"><span style="line-heigh
t: 1.4285715;">2014</span></h3><ul><li><span style="line-height:
1.4285715;"><span style="line-height: 1.4285715;"> </span></span><a
shape="rect"
href="security-advisories.data/CVE-2014-3579-announcement.txt?version=1&modificationDate=1423054118000&api=v2"
data-linked-resource-id="52035737" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3579-announcement.txt"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957"
data-linked-resource-container-version="9">CVE-2014-3579</a><span
style="line-height: 1.4285715;"> - ActiveMQ Apollo XXE with XPath
selectors</span></li></ul><p><span style="line-height:
1.4285715;"> </span></p></div>
+<div class="wiki-content maincontent"><h2
id="SecurityAdvisories-ApacheActiveMQ">Apache ActiveMQ</h2><h3
id="SecurityAdvisories-2016">2016</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2016-0734-announcement.txt?version=1&modificationDate=1457613666000&api=v2"
data-linked-resource-id="62687061" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2016-0734-announcement.txt"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957"
data-linked-resource-container-version="10">CVE-2016-0734</a> - ActiveMQ
Web Console - Clickjacking</li><li><a shape="rect"
href="security-advisories.data/CVE-2016-0782-announcement.txt?version=2&modificationDate=1458229308000&api=v2"
data-linked-resource-id="62687062" data-linked-resource-version="2"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2016-0782-announc
ement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957"
data-linked-resource-container-version="10">CVE-2016-0782</a> - ActiveMQ
Web Console - Cross-Site Scripting</li><li><a shape="rect"
href="security-advisories.data/CVE-2016-3088-announcement.txt?version=4&modificationDate=1464022661036&api=v2"
data-linked-resource-id="63406525" data-linked-resource-version="4"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2016-3088-announcement.txt"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957"
data-linked-resource-container-version="10">CVE-2016-3088</a> - ActiveMQ
Fileserver web application vulnerabilities</li></ul><h3
id="SecurityAdvisories-2015">2015</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2015-5254-announcement.txt?version=1&modificationDate=1449589734000&api=v
2" data-linked-resource-id="61331741" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-5254-announcement.txt"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957"
data-linked-resource-container-version="10">CVE-2015-5254</a> - Unsafe
deserialization in ActiveMQ</li><li><a shape="rect"
href="security-advisories.data/CVE-2015-1830-announcement.txt?version=2&modificationDate=1440426986000&api=v2"
data-linked-resource-id="61313840" data-linked-resource-version="2"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-1830-announcement.txt"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957"
data-linked-resource-container-version="10">CVE-2015-1830</a> - Path traversal
leading to unauthenticated RCE in ActiveMQ </li></ul><h3 id="SecurityAdviso
ries-2014">2014</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2014-3576-announcement.txt?version=1&modificationDate=1446901063000&api=v2"
data-linked-resource-id="61327457" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3576-announcement.txt"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957"
data-linked-resource-container-version="10">CVE-2014-3576</a> - Remote
Unauthenticated Shutdown of Broker (DoS)</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-3600-announcement.txt?version=2&modificationDate=1423051306000&api=v2"
data-linked-resource-id="52035730" data-linked-resource-version="2"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3600-announcement.txt"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-
id="51808957"
data-linked-resource-container-version="10">CVE-2014-3600</a> - Apache
ActiveMQ XXE with XPath selectors</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-3612-announcement.txt?version=2&modificationDate=1423051365000&api=v2"
data-linked-resource-id="52035731" data-linked-resource-version="2"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3612-announcement.txt"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957"
data-linked-resource-container-version="10">CVE-2014-3612</a> - ActiveMQ
JAAS: LDAPLoginModule allows empty password authentication and Wildcard
Interpretation</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-8110-announcement.txt?version=2&modificationDate=1423051381000&api=v2"
data-linked-resource-id="52035732" data-linked-resource-version="2"
data-linked-resource-type="attachment" data-linked-reso
urce-default-alias="CVE-2014-8110-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957"
data-linked-resource-container-version="10">CVE-2014-8110</a> - <span
style="line-height: 1.4285715;">ActiveMQ Web Console - Cross-Site
Scripting</span><span style="line-height: 1.4285715;"><br
clear="none"></span></li></ul><h2 id="SecurityAdvisories-ActiveMQApollo"><span
style="line-height: 1.4285715;">ActiveMQ Apollo</span></h2><h3
id="SecurityAdvisories-2014.1"><span style="line-height:
1.4285715;">2014</span></h3><ul><li><span style="line-height: 1.4285715;"><span
style="line-height: 1.4285715;"> </span></span><a shape="rect"
href="security-advisories.data/CVE-2014-3579-announcement.txt?version=1&modificationDate=1423054118000&api=v2"
data-linked-resource-id="52035737" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3579-anno
uncement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957"
data-linked-resource-container-version="10">CVE-2014-3579</a><span
style="line-height: 1.4285715;"> - ActiveMQ Apollo XXE with XPath
selectors</span></li></ul><p><span style="line-height:
1.4285715;"> </span></p></div>
</td>
<td valign="top">
<div class="navigation">
