> maybe i wanna publish this vulnerable fully details in https://paper.seebug.org/category/404team-en/ > i want to more Security researcher to learning this vulnerable.
I've CC'd in the security email, in case they have a view on it. There's a bit of a delicate balance. In terms of the information the project itself gives out, we'd want to enable users to ensure they are not vulnerable whilst at same time not giving too much information to people who may wish to use it maliciously. Given that I worked on this, I'd probably be well placed to do a writeup on the issue myself. > by the way, i wanna to ask for you one questions. > i'm 23 years old, I want to one day in the future join in apache security PMC. > What efforts do I need to make to join? Again, probably a question for the security team, rather than me (I'm not a member of the security team), but I'd suggest the following: * Start by reading this: https://www.apache.org/security/committers.html - this has the vulnerability disclosure process, and details the process by which a vulnerability is disclosed, fixed and released for ASF projects. * Ensure anything you disclose for ASF projects follows that process * Work with the projects to fix any issues; provide PRs, participate on the mailing lists * There's a large number of projects at the ASF, maybe pick a couple and join their communities. TomEE is interesting as it brings a number of other ASF projects together to produce a server targeting the Java EE / Jakarta EE webprofile. Vulnerabilities in those projects may or may not have an affect on TomEE as well. Jon On Tue, Dec 22, 2020 at 4:55 PM r00t 4dm <[email protected]> wrote: > Hi, > > by the way, i wanna to ask for you one questions. > i'm 23 years old, I want to one day in the future join in apache security > PMC. > What efforts do I need to make to join? > > r00t4dm > A-TEAM of Legendsec at Qi'anxin Group > > > r00t 4dm <[email protected]> 于2020年12月23日周三 上午12:50写道: > >> maybe i wanna publish this vulnerable fully details in >> https://paper.seebug.org/category/404team-en/ >> i want to more Security researcher to learning this vulnerable. >> >> r00t4dm >> A-TEAM of Legendsec at Qi'anxin Group >> >> >> Jonathan Gallimore <[email protected]> 于2020年12月23日周三 上午12:43写道: >> >>> Specifically, what it is you're looking to publish, and where? >>> >>> Jon >>> >>> On Tue, Dec 22, 2020 at 4:35 PM r00t 4dm <[email protected]> wrote: >>> >>>> Hi, >>>> >>>> I using testcase >>>> https://github.com/apache/tomee/commit/a2a06604f5d4e92e34c84715a30d03d3e7121fd1 >>>> i found how to open 1099 port, if i fully success, i can make this >>>> vulnerable public? >>>> >>>> r00t4dm >>>> A-TEAM of Legendsec at Qi'anxin Group >>>> >>>> >>>> r00t 4dm <[email protected]> 于2020年12月23日周三 上午12:03写道: >>>> >>>>> Hi, >>>>> >>>>> Thank for you reply, i really want to know what configuration can open >>>>> it 1099 port, I worked on this vulnerable for five days, Still nothing >>>>> came >>>>> of it. >>>>> I tested: >>>>> >>>>> 1. >>>>> >>>>> <?xml version="1.0" encoding="UTF-8"?> >>>>> <tomee> >>>>> <!-- see http://tomee.apache.org/containers-and-resources.html --> >>>>> >>>>> <!-- activate next line to be able to deploy applications in apps --> >>>>> <!-- <Deployments dir="apps" /> --> >>>>> >>>>> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter"> >>>>> BrokerXmlConfig=broker:(vm://broker)?useJmx=true >>>>> ServerUrl=vm://broker?create=true >>>>> </Resource> >>>>> </tomee> >>>>> >>>>> 2. >>>>> >>>>> <?xml version="1.0" encoding="UTF-8"?> >>>>> <tomee> >>>>> <!-- see http://tomee.apache.org/containers-and-resources.html --> >>>>> >>>>> <!-- activate next line to be able to deploy applications in apps --> >>>>> <Deployments dir="apps" /> >>>>> >>>>> >>>>> <Resource id="MyJmsResourceAdapter" type="ActiveMQResourceAdapter"> >>>>> >>>>> BrokerXmlConfig=broker:(tcp://localhost:61616,network:static:tcp://10.211.55.2:61616 >>>>> )?useJmx=true >>>>> ServerUrl=vm://localhost?create=true >>>>> </Resource> >>>>> >>>>> <Resource id="MyJmsConnectionFactory" >>>>> type="javax.jms.ConnectionFactory"> >>>>> ResourceAdapter = MyJmsResourceAdapter >>>>> </Resource> >>>>> >>>>> >>>>> <Container id="MyJmsMdbContainer" ctype="MESSAGE"> >>>>> ResourceAdapter = MyJmsResourceAdapter >>>>> </Container> >>>>> >>>>> <Resource id="FooQueue" type="javax.jms.Queue"/> >>>>> <Resource id="BarTopic" type="javax.jms.Topic"/> >>>>> >>>>> </tomee> >>>>> >>>>> and more and more... >>>>> >>>>> but they all faild. >>>>> >>>>> Can you give me more details? Or is there any other way to get more >>>>> details? >>>>> I think the vulnerable has been fixed. Can we make it public? i just >>>>> want to learning... >>>>> >>>>> r00t4dm >>>>> A-TEAM of Legendsec at Qi'anxin Group >>>>> >>>>> >>>>> Jonathan Gallimore <[email protected]> 于2020年12月22日周二 下午9:55写道: >>>>> >>>>>> Hi, >>>>>> >>>>>> Thanks for your email about this issue. I've snipped out the images >>>>>> from your email below, as they make the message quite large and cause >>>>>> some >>>>>> mail lists to reject the message. >>>>>> >>>>>> When I received your email, I did do a check with a fresh vanilla >>>>>> TomEE 7.1.3, with a simple application deployed, and a vulnerable >>>>>> configuration. A JMX port was opened on tcp/1099 without authentication, >>>>>> so >>>>>> I can confirm that TomEE 7.1.3 is vulnerable to this issue. We worked >>>>>> quite >>>>>> extensively with the reporter to validate and reproduce the issue. >>>>>> >>>>>> There are a couple of things to note: >>>>>> >>>>>> * CVE-2020-13931 is the result of an incomplete fix for >>>>>> CVE-2020-11969, and specifically there is an edge-case that will cause >>>>>> this >>>>>> port to be opened up >>>>>> * The edge-case we saw can be mitigated through a configuration >>>>>> change or by upgrading. >>>>>> * The configuration error was a simple error to make, and having an >>>>>> unwanted, unauthenticated JMX port open when it wasn't >>>>>> explicitly configured, so a further patch was worthwhile (hence the >>>>>> further >>>>>> CVE). There may be other usages of the server which may also have exposed >>>>>> this issue. >>>>>> >>>>>> I hope that answers your queries. We don't give out vulnerable >>>>>> configurations or specific reproduction steps for security issues. If you >>>>>> have follow-up questions for this, I'd encourage you to post on the >>>>>> [email protected] or [email protected] mailing lists. If you >>>>>> have other security related issues to report, [email protected] is >>>>>> the address to report them (CC'd). >>>>>> >>>>>> Kind Regards >>>>>> >>>>>> Jon >>>>>> >>>>>> >>>>>> On Mon, Dec 21, 2020 at 2:37 PM r00t 4dm <[email protected]> wrote: >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> in 2020/12/17 in oss-security email i see the [oss-security] >>>>>>> CVE-2020-13931 Apache TomEE - Incorrect config on JMS Resource Adapter >>>>>>> can >>>>>>> lead to JMX being enabled this email >>>>>>> >>>>>>> here is the content about this email: >>>>>>> >>>>>>> Severity: High >>>>>>>> Vendor: The Apache Software Foundation >>>>>>>> Versions Affected: >>>>>>>> Apache TomEE 8.0.0-M1 - 8.0.3 >>>>>>>> Apache TomEE 7.1.0 - 7.1.3 >>>>>>>> Apache TomEE 7.0.0-M1 - 7.0.8 >>>>>>>> Apache TomEE 1.0.0 - 1.7.5 >>>>>>>> Description: >>>>>>>> If Apache TomEE is configured to use the embedded ActiveMQ broker, >>>>>>>> and the >>>>>>>> broker config is misconfigured, a JMX port is opened on TCP port >>>>>>>> 1099, >>>>>>>> which does not include authentication. CVE-2020-11969 previously >>>>>>>> addressed >>>>>>>> the creation of the JMX management interface, however the >>>>>>>> incomplete fix >>>>>>>> did not cover this edge case. >>>>>>>> Mitigation: >>>>>>>> - Upgrade to TomEE 7.0.9 or later >>>>>>>> - Upgrade to TomEE 7.1.4 or later >>>>>>>> - Upgrade to TomEE 8.0.4 or later >>>>>>>> Ensure the correct VM broker name is used consistently across the >>>>>>>> resource >>>>>>>> adapter config. >>>>>>>> Credit: Thanks to Frans Henskens for discovering and reporting this >>>>>>>> issue. >>>>>>> >>>>>>> >>>>>>> So, I using TomEE 7.1.3 to test this vulnerability, i found >>>>>>> this vulnerability is Fake. >>>>>>> The Frans Henskens have some wrong. >>>>>>> >>>>>>> tomee.xml >>>>>>> >>>>>>> <?xml version="1.0" encoding="UTF-8"?> >>>>>>> <tomee> >>>>>>> <!-- see http://tomee.apache.org/containers-and-resources.html --> >>>>>>> >>>>>>> <!-- activate next line to be able to deploy applications in apps >>>>>>> --> >>>>>>> <!-- <Deployments dir="apps" /> --> >>>>>>> >>>>>>> <Resource id="Foo" type="ActiveMQResourceAdapter"> >>>>>>> BrokerXmlConfig=broker:(vm://localhost:61616) >>>>>>> ServerUrl = vm://localhost?async=true >>>>>>> </Resource> >>>>>>> </tomee> >>>>>>> >>>>>>> i use this to startup tomee 7.1.3. >>>>>>> >>>>>>> about CVE-2020-11969 security patch code in ActiveMQ5Factory.java >>>>>>> This is done before start >>>>>>> (managementContext.etCreateConnector(false);) >>>>>>> >>>>>>> So, let me see >>>>>>> it can't call createConnector() function, because before start() is >>>>>>> already managementContext.setCreateConnector(false); >>>>>>> So the 1099 An unauthorized JMX service will not be enabled. >>>>>>> CVE-2020-13931 is Fake vulnerability >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Did you test exactly what he said was a safety issue? >>>>>>> Looking forward to your reply. >>>>>>> >>>>>>> r00t4dm >>>>>>> A-TEAM of Legendsec at Qi'anxin Group >>>>>>> >>>>>>
