[ https://issues.apache.org/jira/browse/AMQ-5745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14596544#comment-14596544 ]
Christopher L. Shannon edited comment on AMQ-5745 at 6/22/15 7:59 PM: ---------------------------------------------------------------------- I forgot to add that the double locking race condition issue was actually already fixed in AMQ-5787 was (Author: christopher.l.shannon): I forgot to add that double locking race condition issue was actually already fixed in AMQ-5787 > Code analysis revealed multiple vulnerable sections of code > ----------------------------------------------------------- > > Key: AMQ-5745 > URL: https://issues.apache.org/jira/browse/AMQ-5745 > Project: ActiveMQ > Issue Type: Bug > Affects Versions: 5.9.0 > Reporter: Int3 > Attachments: activemq.patch > > > Code analysis revealed multiple vulnerable sections of code in ActiveMQ > 5.9.0. A patch file is attached that address the issues below. > activemq-web/src/main/resources/org/apache/activemq/web/prototype.js:700,706 > This code uses the "eval()" function to evaluate JSON code -- this > method is deprecated and dangerous and has been replaced by the JSON.parse() > method, which is supported in all modern browsers -- considering that less > than 2% of modern computers are still using legacy browsers, we believe the > code should be upgraded to use the more secure method > activemq-broker/src/main/java/org/apache/activemq/broker/BrokerService.java:248 > activemq-broker/src/main/java/org/apache/activemq/broker/PropertiesBrokerFactory.java:59 > activemq-broker/src/main/java/org/apache/activemq/util/IOHelper.java:257,259 > activemq-client/src/main/java/org/apache/activemq/ActiveMQSslConnectionFactory.java:130,162 > activemq-client/src/main/java/org/apache/activemq/blob/DefaultBlobUploadStrategy.java:43,58 > activemq-client/src/main/java/org/apache/activemq/blob/FTPBlobUploadStrategy.java:41 > activemq-client/src/main/java/org/apache/activemq/blob/FileSystemBlobStrategy.java:68,77 > activemq-console/src/main/java/org/apache/activemq/console/command/CreateCommand.java:194,218,219 > activemq-fileserver/src/main/java/org/apache/activemq/util/IOHelper.java:102,104 > activemq-jaas/src/main/java/org/apache/activemq/jaas/TextFileCertificateLoginModule.java:92,127 > activemq-jdbc-store/src/main/java/org/apache/activemq/store/jdbc/adapter/BlobJDBCAdapter.java:142 > activemq-jdbc-store/src/main/java/org/apache/activemq/store/jdbc/adapter/StreamJDBCAdapter.java:51 > activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/page/PageFile.java:198 > activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/util/DiskBenchmark.java:214,246,270 > activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/ProtocolConverter.java:68 > activemq-tooling/activemq-perf-maven-plugin/src/main/java/org/apache/activemq/tool/AbstractJmsClientSystem.java:266 > activemq-web/src/main/java/org/apache/activemq/web/AjaxServlet.java:67 > activemq-tooling/activemq-perf-maven-plugin/src/main/java/org/apache/activemq/tool/JmsProducerClient.java:356 > activemq-tooling/activemq-perf-maven-plugin/src/main/java/org/apache/activemq/tool/reports/XmlFilePerfReportWriter.java:198 > Resource leaks are possible at these code locations (the patched code > releases the resources within a finally() statement) > activemq-broker/src/main/java/org/apache/activemq/broker/jmx/DestinationView.java:330 > activemq-client/src/main/java/org/apache/activemq/ActiveMQConnectionFactory.java:283,290 > activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/journal/CallerBufferingDataFileAppender.java:182 > activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/journal/DataFileAppender.java:391 > activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/journal/Journal.java:568 > NULL dereferences are possible at these code locations > activemq-broker/src/main/java/org/apache/activemq/transport/vm/VMTransport.java:269 > Double-locking of this form is vulnerable to race conditions > activemq-http/src/main/java/org/apache/activemq/transport/http/HttpTunnelServlet.java:196,236 > activemq-web/src/main/java/org/apache/activemq/web/MessageServlet.java:278,284 > XSS reflection is possible at these code locations (an XSS filter > should be added) > activemq-fileserver/src/main/java/org/apache/activemq/util/RestFilter.java:72 > Path manipulation is possible via ".." directory traversal > activemq-client/src/main/java/org/apache/activemq/thread/PooledTaskRunner.java:141 > A return statement inside a finally block will cause any exception that > might be thrown in the try or catch block to be discarded. > activemq-log4j-appender/src/main/java/org/apache/activemq/util/JmsLogAppender.java:68 > Recording passwords to a logfile in plaintext is inadvisable -- This message was sent by Atlassian JIRA (v6.3.4#6332)