[jira] [Resolved] (AMQ-5745) Code analysis revealed multiple vulnerable sections of code

[Timothy Bish (JIRA)]

     [ 
https://issues.apache.org/jira/browse/AMQ-5745?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Timothy Bish resolved AMQ-5745.
-------------------------------
       Resolution: Fixed
    Fix Version/s: 5.12.0

Applied PR containing a subset of the changes identified in the patch, others 
appear to be non-issues or already resolved.  I'd recommend testing the code 
from master with your tooling to see if any other issues show up that seems 
like real problems.  New issues can be opened with targeted patches for 
different areas of concern.  

> Code analysis revealed multiple vulnerable sections of code
> -----------------------------------------------------------
>
>                 Key: AMQ-5745
>                 URL: https://issues.apache.org/jira/browse/AMQ-5745
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.9.0
>            Reporter: Int3
>             Fix For: 5.12.0
>
>         Attachments: activemq.patch
>
>
> Code analysis revealed multiple vulnerable sections of code in ActiveMQ 
> 5.9.0.  A patch file is attached that address the issues below.
> activemq-web/src/main/resources/org/apache/activemq/web/prototype.js:700,706
>       This code uses the  "eval()" function to evaluate JSON code -- this 
> method is deprecated and dangerous and has been replaced by the JSON.parse() 
> method, which is supported in all modern browsers -- considering that less 
> than 2% of modern computers are still using legacy browsers, we believe the 
> code should be upgraded to use the more secure method
> activemq-broker/src/main/java/org/apache/activemq/broker/BrokerService.java:248
> activemq-broker/src/main/java/org/apache/activemq/broker/PropertiesBrokerFactory.java:59
> activemq-broker/src/main/java/org/apache/activemq/util/IOHelper.java:257,259
> activemq-client/src/main/java/org/apache/activemq/ActiveMQSslConnectionFactory.java:130,162
> activemq-client/src/main/java/org/apache/activemq/blob/DefaultBlobUploadStrategy.java:43,58
> activemq-client/src/main/java/org/apache/activemq/blob/FTPBlobUploadStrategy.java:41
> activemq-client/src/main/java/org/apache/activemq/blob/FileSystemBlobStrategy.java:68,77
> activemq-console/src/main/java/org/apache/activemq/console/command/CreateCommand.java:194,218,219
> activemq-fileserver/src/main/java/org/apache/activemq/util/IOHelper.java:102,104
> activemq-jaas/src/main/java/org/apache/activemq/jaas/TextFileCertificateLoginModule.java:92,127
> activemq-jdbc-store/src/main/java/org/apache/activemq/store/jdbc/adapter/BlobJDBCAdapter.java:142
> activemq-jdbc-store/src/main/java/org/apache/activemq/store/jdbc/adapter/StreamJDBCAdapter.java:51
> activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/page/PageFile.java:198
> activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/util/DiskBenchmark.java:214,246,270
> activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/ProtocolConverter.java:68
> activemq-tooling/activemq-perf-maven-plugin/src/main/java/org/apache/activemq/tool/AbstractJmsClientSystem.java:266
> activemq-web/src/main/java/org/apache/activemq/web/AjaxServlet.java:67
> activemq-tooling/activemq-perf-maven-plugin/src/main/java/org/apache/activemq/tool/JmsProducerClient.java:356
> activemq-tooling/activemq-perf-maven-plugin/src/main/java/org/apache/activemq/tool/reports/XmlFilePerfReportWriter.java:198
>       Resource leaks are possible at these code locations (the patched code 
> releases the resources within a finally() statement)
> activemq-broker/src/main/java/org/apache/activemq/broker/jmx/DestinationView.java:330
> activemq-client/src/main/java/org/apache/activemq/ActiveMQConnectionFactory.java:283,290
> activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/journal/CallerBufferingDataFileAppender.java:182
> activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/journal/DataFileAppender.java:391
> activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/disk/journal/Journal.java:568
>       NULL dereferences are possible at these code locations
> activemq-broker/src/main/java/org/apache/activemq/transport/vm/VMTransport.java:269
>       Double-locking of this form is vulnerable to race conditions
> activemq-http/src/main/java/org/apache/activemq/transport/http/HttpTunnelServlet.java:196,236
> activemq-web/src/main/java/org/apache/activemq/web/MessageServlet.java:278,284
>       XSS reflection is possible at these code locations (an XSS filter 
> should be added)
> activemq-fileserver/src/main/java/org/apache/activemq/util/RestFilter.java:72
>       Path manipulation is possible via ".." directory traversal
> activemq-client/src/main/java/org/apache/activemq/thread/PooledTaskRunner.java:141
>       A return statement inside a finally block will cause any exception that 
> might be thrown in the try or catch block to be discarded.
> activemq-log4j-appender/src/main/java/org/apache/activemq/util/JmsLogAppender.java:68
>       Recording passwords to a logfile in plaintext is inadvisable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)