Dear r00t4dm; Jonathan from Tomee PMC has already responded to you: We do not provide further help or guidance to verify vulnerabilities. We use secur...@apache.org only for the reporting of new vulnerabilities.
Best Regards, Mark. On Wed, Dec 23, 2020 at 4:32 AM r00t 4dm <r00t...@gmail.com> wrote: > > Ok, Thanks for you help, maybe I need waiting the security team reply this > email. > Lastnight I saw this vulnerability, Let me learn a lot. > Five days age, I saw this vulnerability public in oss-security, I begin read > code from TomEE. > I sure I read the VMTransportFactory.java I think the VMTransportFactory.java > have security vulnerability, because the VMTransportFactory start > brokerService ManagementContext doesn’t control. > But I don’t know how to execution my code into the VMTransportFactory.java > flow. > About this question, if you have some time, please tell me. > > Regards, r00t4dm > Cloud-Penetrating Arrow Lab of Meituan Corp Information Security Department > > > 2020年12月23日 上午1:18,Jonathan Gallimore <jgallim...@apache.org> 写道: > > > > > maybe i wanna publish this vulnerable fully details in > > > https://paper.seebug.org/category/404team-en/ > > > i want to more Security researcher to learning this vulnerable. > > > > I've CC'd in the security email, in case they have a view on it. There's a > > bit of a delicate balance. In terms of the information the project itself > > gives out, we'd want to enable users to ensure they are not vulnerable > > whilst at same time not giving too much information to people who may wish > > to use it maliciously. Given that I worked on this, I'd probably be well > > placed to do a writeup on the issue myself. > > > > > by the way, i wanna to ask for you one questions. > > > i'm 23 years old, I want to one day in the future join in apache security > > > PMC. > > > What efforts do I need to make to join? > > > > Again, probably a question for the security team, rather than me (I'm not a > > member of the security team), but I'd suggest the following: > > > > * Start by reading this: https://www.apache.org/security/committers.html - > > this has the vulnerability disclosure process, and details the process by > > which a vulnerability is disclosed, fixed and released for ASF projects. > > * Ensure anything you disclose for ASF projects follows that process > > * Work with the projects to fix any issues; provide PRs, participate on the > > mailing lists > > * There's a large number of projects at the ASF, maybe pick a couple and > > join their communities. TomEE is interesting as it brings a number of other > > ASF projects together to produce a server targeting the Java EE / Jakarta > > EE webprofile. Vulnerabilities in those projects may or may not have an > > affect on TomEE as well. > > > > Jon > > > > On Tue, Dec 22, 2020 at 4:55 PM r00t 4dm <r00t...@gmail.com> wrote: > > Hi, > > > > by the way, i wanna to ask for you one questions. > > i'm 23 years old, I want to one day in the future join in apache security > > PMC. > > What efforts do I need to make to join? > > > > r00t4dm > > A-TEAM of Legendsec at Qi'anxin Group > > > > > > r00t 4dm <r00t...@gmail.com> 于2020年12月23日周三 上午12:50写道: > > maybe i wanna publish this vulnerable fully details in > > https://paper.seebug.org/category/404team-en/ > > i want to more Security researcher to learning this vulnerable. > > > > r00t4dm > > A-TEAM of Legendsec at Qi'anxin Group > > > > > > Jonathan Gallimore <jgallim...@apache.org> 于2020年12月23日周三 上午12:43写道: > > Specifically, what it is you're looking to publish, and where? > > > > Jon > > > > On Tue, Dec 22, 2020 at 4:35 PM r00t 4dm <r00t...@gmail.com> wrote: > > Hi, > > > > I using testcase > > https://github.com/apache/tomee/commit/a2a06604f5d4e92e34c84715a30d03d3e7121fd1 > > i found how to open 1099 port, if i fully success, i can make this > > vulnerable public? > > > > r00t4dm > > A-TEAM of Legendsec at Qi'anxin Group > > > > > > r00t 4dm <r00t...@gmail.com> 于2020年12月23日周三 上午12:03写道: > > Hi, > > > > Thank for you reply, i really want to know what configuration can open it > > 1099 port, I worked on this vulnerable for five days, Still nothing came of > > it. > > I tested: > > > > 1. > > > > <?xml version="1.0" encoding="UTF-8"?> > > <tomee> > > <!-- see http://tomee.apache.org/containers-and-resources.html --> > > > > <!-- activate next line to be able to deploy applications in apps --> > > <!-- <Deployments dir="apps" /> --> > > > > <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter"> > > BrokerXmlConfig=broker:(vm://broker)?useJmx=true > > ServerUrl=vm://broker?create=true > > </Resource> > > </tomee> > > > > 2. > > > > <?xml version="1.0" encoding="UTF-8"?> > > <tomee> > > <!-- see http://tomee.apache.org/containers-and-resources.html --> > > > > <!-- activate next line to be able to deploy applications in apps --> > > <Deployments dir="apps" /> > > > > > > <Resource id="MyJmsResourceAdapter" type="ActiveMQResourceAdapter"> > > BrokerXmlConfig=broker:(tcp://localhost:61616,network:static:tcp://10.211.55.2:61616)?useJmx=true > > ServerUrl=vm://localhost?create=true > > </Resource> > > > > <Resource id="MyJmsConnectionFactory" type="javax.jms.ConnectionFactory"> > > ResourceAdapter = MyJmsResourceAdapter > > </Resource> > > > > > > <Container id="MyJmsMdbContainer" ctype="MESSAGE"> > > ResourceAdapter = MyJmsResourceAdapter > > </Container> > > > > <Resource id="FooQueue" type="javax.jms.Queue"/> > > <Resource id="BarTopic" type="javax.jms.Topic"/> > > > > </tomee> > > > > and more and more... > > > > but they all faild. > > > > Can you give me more details? Or is there any other way to get more details? > > I think the vulnerable has been fixed. Can we make it public? i just want > > to learning... > > > > r00t4dm > > A-TEAM of Legendsec at Qi'anxin Group > > > > > > Jonathan Gallimore <jgallim...@apache.org> 于2020年12月22日周二 下午9:55写道: > > Hi, > > > > Thanks for your email about this issue. I've snipped out the images from > > your email below, as they make the message quite large and cause some mail > > lists to reject the message. > > > > When I received your email, I did do a check with a fresh vanilla TomEE > > 7.1.3, with a simple application deployed, and a vulnerable configuration. > > A JMX port was opened on tcp/1099 without authentication, so I can confirm > > that TomEE 7.1.3 is vulnerable to this issue. We worked quite extensively > > with the reporter to validate and reproduce the issue. > > > > There are a couple of things to note: > > > > * CVE-2020-13931 is the result of an incomplete fix for CVE-2020-11969, and > > specifically there is an edge-case that will cause this port to be opened up > > * The edge-case we saw can be mitigated through a configuration change or > > by upgrading. > > * The configuration error was a simple error to make, and having an > > unwanted, unauthenticated JMX port open when it wasn't explicitly > > configured, so a further patch was worthwhile (hence the further CVE). > > There may be other usages of the server which may also have exposed this > > issue. > > > > I hope that answers your queries. We don't give out vulnerable > > configurations or specific reproduction steps for security issues. If you > > have follow-up questions for this, I'd encourage you to post on the > > us...@tomee.apache.org or dev@tomee.apache.org mailing lists. If you have > > other security related issues to report, secur...@apache.org is the address > > to report them (CC'd). > > > > Kind Regards > > > > Jon > > > > > > On Mon, Dec 21, 2020 at 2:37 PM r00t 4dm <r00t...@gmail.com> wrote: > > Hello, > > > > in 2020/12/17 in oss-security email i see the [oss-security] CVE-2020-13931 > > Apache TomEE - Incorrect config on JMS Resource Adapter can lead to JMX > > being enabled this email > > > > here is the content about this email: > > > > Severity: High > > Vendor: The Apache Software Foundation > > Versions Affected: > > Apache TomEE 8.0.0-M1 - 8.0.3 > > Apache TomEE 7.1.0 - 7.1.3 > > Apache TomEE 7.0.0-M1 - 7.0.8 > > Apache TomEE 1.0.0 - 1.7.5 > > Description: > > If Apache TomEE is configured to use the embedded ActiveMQ broker, and the > > broker config is misconfigured, a JMX port is opened on TCP port 1099, > > which does not include authentication. CVE-2020-11969 previously addressed > > the creation of the JMX management interface, however the incomplete fix > > did not cover this edge case. > > Mitigation: > > - Upgrade to TomEE 7.0.9 or later > > - Upgrade to TomEE 7.1.4 or later > > - Upgrade to TomEE 8.0.4 or later > > Ensure the correct VM broker name is used consistently across the resource > > adapter config. > > Credit: Thanks to Frans Henskens for discovering and reporting this issue. > > > > So, I using TomEE 7.1.3 to test this vulnerability, i found this > > vulnerability is Fake. > > The Frans Henskens have some wrong. > > > > tomee.xml > > > > <?xml version="1.0" encoding="UTF-8"?> > > <tomee> > > <!-- see http://tomee.apache.org/containers-and-resources.html --> > > > > <!-- activate next line to be able to deploy applications in apps --> > > <!-- <Deployments dir="apps" /> --> > > > > <Resource id="Foo" type="ActiveMQResourceAdapter"> > > BrokerXmlConfig=broker:(vm://localhost:61616) > > ServerUrl = vm://localhost?async=true > > </Resource> > > </tomee> > > > > i use this to startup tomee 7.1.3. > > > > about CVE-2020-11969 security patch code in ActiveMQ5Factory.java > > This is done before start (managementContext.etCreateConnector(false);) > > > > So, let me see > > it can't call createConnector() function, because before start() is already > > managementContext.setCreateConnector(false); > > So the 1099 An unauthorized JMX service will not be enabled. > > CVE-2020-13931 is Fake vulnerability > > > > > > > > > > Did you test exactly what he said was a safety issue? > > Looking forward to your reply. > > > > r00t4dm > > A-TEAM of Legendsec at Qi'anxin Group >
