[
https://issues.apache.org/jira/browse/AMQ-3211?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13006569#comment-13006569
]
Michael Steiner commented on AMQ-3211:
--------------------------------------
i kindof assumed that i wouldn't be allowed to change but as i saw an edit
button and could sign up, i thought i should give it try instead of offloading
everything to you :-)
Anyway, what i would have added is along the lines of below: the disclaimer of
the second paragraph certainly needs some editing regarding version references
-- not sure how you handle that -- but i thought it would be good to document
the vulnerability. Arguably, one could also mention the getPropertyNames()
test i outlined above as temporary workaround for older versions but i'm not
100% sure whether it secure, so i omitted that.
``If you allow anonymous access, you MUST also add the
_useAuthenticatedPrincipalForJMSXUserID_ property of the broker element and
set it to true. Otherwise, anonymous clients can spoof identities. Note,
though, that for SSL certificate based authentication, e.g., when using
TextFileCertificateLoginModule JAAS module, this will change the semantics of
the broker-provided JMSXUserID. Instead of returning the DN of the certificate,
it will provide the name the DN is mapped to by the JAAS module.
Also note that versions up to (and including) 5.4.2 are vulnerable to spoofing.
A fix is included in 5.5-SNAPSHOT > March 12th, 2011.''
> JMSXUserId Can be spoofed by client
> -----------------------------------
>
> Key: AMQ-3211
> URL: https://issues.apache.org/jira/browse/AMQ-3211
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.4.2
> Reporter: Michael Steiner
> Assignee: Gary Tully
> Fix For: 5.5.0
>
> Attachments: JMSXUserID-bug.conf-src.tar.bz2, JMSXUserID-bug.diff
>
>
> It seems the JMSXUserId can be spoofed by client contrary to what
> http://activemq.apache.org/jmsxuserid.html says.
> My test setup is populateJMSXUserID="true set in a single broker, a JAAS
> config org.apache.activemq.jaas.TextFileCertificateLoginModule and using
> mutual auth SSL (i.e., ?needClientAuth=true for transportConnector setup),
> and a single consumer and producer based on small modifications of the
> ConsumerTool and ProducerTool examples in the 5.4.2 distro. See attached the
> changes to the distro package to demonstrate the bug. Just do
> 1. run apache-activemq-5.4.2/bin/activemq-admin start
> 2. in apache-activemq-5.4.2/example run ant consumer
> -Durl=ssl://localhost:61617 -Dmax=3 -Dverbose=true
> 3. in another shell in apache-activemq-5.4.2/example run ant producer
> -Durl=ssl://localhost:61617 -Dmax=3 -Dverbose=true
> 4. look at the output of the consumer for the properties printed after each
> received message (the producer spoofs only on even numbered messages)
> When the client does not set the property, then i get the properly
> authenticated DN as JMSXUserID using message.getStringProperty("JMSXUserID").
> However, when the client sets it, i get the value set by the client. The
> only difference i notice is that in the former case,
> message.getPropertyNames() does not return JMSXUserID whereas in the spoofed
> case it does.
> i wonder whether in the context of
> https://issues.apache.org/jira/browse/QPID-943 or
> https://issues.apache.org/jira/browse/AMQ-2840 (which interestingly doesn't
> list JMSXUserID as supported in a comment even though it is?) something got
> messed up?
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
