[jira] [Commented] (AMQ-9245) Upgrade to Spring 5.3.26
[ https://issues.apache.org/jira/browse/AMQ-9245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1771#comment-1771 ] Colm O hEigeartaigh commented on AMQ-9245: -- The update should be to 5.3.27 to fix https://github.com/advisories/GHSA-wxqc-pxw9-g2p8 > Upgrade to Spring 5.3.26 > > > Key: AMQ-9245 > URL: https://issues.apache.org/jira/browse/AMQ-9245 > Project: ActiveMQ > Issue Type: Task > Components: Broker >Reporter: Jean-Baptiste Onofré >Assignee: Jean-Baptiste Onofré >Priority: Major > Fix For: 5.17.5, 5.18.2 > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (AMQ-8484) reload4j scope is not correct
[ https://issues.apache.org/jira/browse/AMQ-8484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17490905#comment-17490905 ] Colm O hEigeartaigh commented on AMQ-8484: -- Yes I think in activemq-partition, it wasn't correct to have log4j at test scope before, as the library is required for logging by Zookeeper, that's why I added an explicit dependency on reload4j. slf4j-reload4j isn't required though at compile scope from what I can see from activemq-partition, so I agree this should be removed. > reload4j scope is not correct > - > > Key: AMQ-8484 > URL: https://issues.apache.org/jira/browse/AMQ-8484 > Project: ActiveMQ > Issue Type: Bug >Reporter: Jean-Baptiste Onofré >Assignee: Jean-Baptiste Onofré >Priority: Major > Fix For: 5.16.4 > > Time Spent: 10m > Remaining Estimate: 0h > > reload4j scope should be test in several modules, for instance like > activemq-partition. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Created] (AMQ-8473) Switch to reload4j for logging
Colm O hEigeartaigh created AMQ-8473: Summary: Switch to reload4j for logging Key: AMQ-8473 URL: https://issues.apache.org/jira/browse/AMQ-8473 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.4 This task is to switch AMQ 5.16.x to use Reload4J instead of Log4J for logging. That way we get fixes for the various CVEs in Log4J 1.x, until AMQ picks up Log4J 2. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Created] (AMQ-8472) Switch to reload4j for logging
Colm O hEigeartaigh created AMQ-8472: Summary: Switch to reload4j for logging Key: AMQ-8472 URL: https://issues.apache.org/jira/browse/AMQ-8472 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.4 This task is to switch AMQ 5.16.x to use Reload4J instead of Log4J for logging. That way we get fixes for the various CVEs in Log4J 1.x, until AMQ picks up Log4J 2. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Created] (AMQ-8468) CVE-2022-23437: Infinite loop within Apache XercesJ xml parser
Colm O hEigeartaigh created AMQ-8468: Summary: CVE-2022-23437: Infinite loop within Apache XercesJ xml parser Key: AMQ-8468 URL: https://issues.apache.org/jira/browse/AMQ-8468 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Fix For: 5.15.16, 5.16.4 Please update Xerces to 2.12.2 to fix: CVE-2022-23437: Infinite loop within Apache XercesJ xml parser -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Updated] (AMQ-8358) Upgrade xstream to 1.4.18
[ https://issues.apache.org/jira/browse/AMQ-8358?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated AMQ-8358: - Fix Version/s: 5.16.4 5.15.16 5.17.0 > Upgrade xstream to 1.4.18 > - > > Key: AMQ-8358 > URL: https://issues.apache.org/jira/browse/AMQ-8358 > Project: ActiveMQ > Issue Type: Dependency upgrade >Reporter: Matt Pavlovich >Assignee: Matt Pavlovich >Priority: Major > Fix For: 5.17.0, 5.15.16, 5.16.4 > > > We need to upstream to XStream 1.4.18 to fix a high CVE - > https://nvd.nist.gov/vuln/detail/CVE-2021-39154 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (AMQ-8358) Upgrade xstream to 1.4.18
[ https://issues.apache.org/jira/browse/AMQ-8358?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated AMQ-8358: - Description: We need to upstream to XStream 1.4.18 to fix a high CVE - https://nvd.nist.gov/vuln/detail/CVE-2021-39154 > Upgrade xstream to 1.4.18 > - > > Key: AMQ-8358 > URL: https://issues.apache.org/jira/browse/AMQ-8358 > Project: ActiveMQ > Issue Type: Dependency upgrade >Reporter: Matt Pavlovich >Assignee: Matt Pavlovich >Priority: Major > > We need to upstream to XStream 1.4.18 to fix a high CVE - > https://nvd.nist.gov/vuln/detail/CVE-2021-39154 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-8117) VirtualSelectorCacheBrokerPlugin throws false positive exception
[ https://issues.apache.org/jira/browse/AMQ-8117?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17356439#comment-17356439 ] Colm O hEigeartaigh commented on AMQ-8117: -- PR submitted: [https://github.com/apache/activemq/pull/667] > VirtualSelectorCacheBrokerPlugin throws false positive exception > > > Key: AMQ-8117 > URL: https://issues.apache.org/jira/browse/AMQ-8117 > Project: ActiveMQ > Issue Type: Bug > Components: Broker >Affects Versions: 5.16.0, 5.15.12, 5.15.13, 5.15.14 >Reporter: Joost >Assignee: Jean-Baptiste Onofré >Priority: Blocker > Fix For: 5.15.16, 5.16.3 > > Attachments: activemq.xml, file.data, > image-2021-01-07-09-36-50-044.png > > Time Spent: 10m > Remaining Estimate: 0h > > Dear, > The VirtualSelectorCacheBrokerPlugin throws an error in the following method: > {code:java} > if (!(desc.getName().equals("java.lang.String") || > desc.getName().startsWith("java.util."))) { > throw new InvalidClassException("Unauthorized deserialization attempt", > desc.getName()); > } > {code} > This exception is thrown because there are some lines in the selector cache > file that do not match the given "startsWith("java.util.")". The code will > throw an exception because of the "[L" prefix in front of some java.util. > elements in the file: > !image-2021-01-07-09-36-50-044.png! > My activemq.xml and file.data are attached to this ticket. > The selector cache is working fine if I use ActiveMQ version 5.15.11 or below. > I have tried to add jdk.serialFilters for the Concurrent Hashmap, like: > wrapper.java.additional.13=-Djdk.serialFilter=java.util.** (wrapper.conf) and > also tried to add this to the java security file, but that did not work. > I hope this issue can be fixed or if it is not a bug, the documentation can > be complemented with some notes on how to configure this filters the right > way. > Best regards, > Joost -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (AMQ-8260) Remove unused keys from distribution
[ https://issues.apache.org/jira/browse/AMQ-8260?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on AMQ-8260 started by Colm O hEigeartaigh. > Remove unused keys from distribution > > > Key: AMQ-8260 > URL: https://issues.apache.org/jira/browse/AMQ-8260 > Project: ActiveMQ > Issue Type: Improvement >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Trivial > Fix For: 5.17.0 > > > There are some unused keys in the distribution that could be removed: > ./assembly/src/release/conf/client.ts > ./assembly/src/release/conf/client.ks > - Only used in activemq-unit-tests > ./assembly/src/release/conf/broker-localhost.cert > - Not used anywhere -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-8260) Remove unused keys from distribution
Colm O hEigeartaigh created AMQ-8260: Summary: Remove unused keys from distribution Key: AMQ-8260 URL: https://issues.apache.org/jira/browse/AMQ-8260 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.17.0 There are some unused keys in the distribution that could be removed: ./assembly/src/release/conf/client.ts ./assembly/src/release/conf/client.ks - Only used in activemq-unit-tests ./assembly/src/release/conf/broker-localhost.cert - Not used anywhere -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-8100) Update Jackson Databind to 2.9.10.8
[ https://issues.apache.org/jira/browse/AMQ-8100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17259054#comment-17259054 ] Colm O hEigeartaigh commented on AMQ-8100: -- I don't think Jackson Databind 2.9.10.8 is released yet, so for now we should just update to 2.9.10.7 > Update Jackson Databind to 2.9.10.8 > --- > > Key: AMQ-8100 > URL: https://issues.apache.org/jira/browse/AMQ-8100 > Project: ActiveMQ > Issue Type: Task > Components: Broker, Web Console >Reporter: Colm O hEigeartaigh >Assignee: Jean-Baptiste Onofré >Priority: Major > Fix For: 5.17.0, 5.16.1, 5.15.15 > > Time Spent: 10m > Remaining Estimate: 0h > > This task is to update Jackson Databind to 2.9.10.7, there is yet another CVE > fixed here. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-8112) Update Tomcat to 9.0.41
Colm O hEigeartaigh created AMQ-8112: Summary: Update Tomcat to 9.0.41 Key: AMQ-8112 URL: https://issues.apache.org/jira/browse/AMQ-8112 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Jean-Baptiste Onofré Fix For: 5.17.0, 5.16.1 This task is to update Tomcat to 9.0.41 to pick up a fix for [https://nvd.nist.gov/vuln/detail/CVE-2020-17527] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-8100) Update Jackson Databind to 2.9.10.7
Colm O hEigeartaigh created AMQ-8100: Summary: Update Jackson Databind to 2.9.10.7 Key: AMQ-8100 URL: https://issues.apache.org/jira/browse/AMQ-8100 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Fix For: 5.17.0, 5.16.1, 5.15.15 This task is to update Jackson Databind to 2.9.10.7, there is yet another CVE fixed here. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (AMQ-8097) Harden deserialization block xstream ack processing
[ https://issues.apache.org/jira/browse/AMQ-8097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17246420#comment-17246420 ] Colm O hEigeartaigh edited comment on AMQ-8097 at 12/9/20, 10:21 AM: - To fix the issue I think we should: * Add "java.lang" (not java.util) back to ClassLoadingAwareObjectInputStream * Take SubSelectorClassObjectInputStream out of MessageDatabaseObjectInputStream, and re-use it in SubQueueSelectorCacheBroker. * Also add the xstream namespace to SubSelectorClassObjectInputStream was (Author: coheigea): To fix the issue I think we should: * Add "java.lang" (not java.util) back to ClassLoadingAwareObjectInputStream * Take SubSelectorClassObjectInputStream out of MessageDatabaseObjectInputStream, and re-use it in SubQueueSelectorCacheBroker. > Harden deserialization block xstream ack processing > --- > > Key: AMQ-8097 > URL: https://issues.apache.org/jira/browse/AMQ-8097 > Project: ActiveMQ > Issue Type: Bug > Components: Broker >Affects Versions: 5.16.0, 5.15.13 >Reporter: Jean-Baptiste Onofré >Assignee: Jean-Baptiste Onofré >Priority: Major > Fix For: 5.16.1, 5.15.15 > > > Since we improve serialization security (see AMQ-7438), when a message has to > be loaded from store and the message is xstream serialized, it fails with: > {code:java} > 2020-12-04 16:42:26,107 | WARN | / | org.eclipse.jetty.server.HttpChannel | > qtp1987354705-137568 > com.thoughtworks.xstream.converters.ConversionException: > Debugging information > cause-exception : > com.thoughtworks.xstream.security.ForbiddenClassException > cause-message : java.lang.StackTraceElement > class : [Ljava.lang.StackTraceElement; > required-type : [Ljava.lang.StackTraceElement; > converter-type : > com.thoughtworks.xstream.converters.collections.ArrayConverter > path: > /org.apache.activemq.command.MessageAck/poisonCause/stackTrace/trace > line number : 28 > class[1]: java.lang.Throwable > required-type[1]: java.lang.Throwable > converter-type[1] : > com.thoughtworks.xstream.converters.extended.ThrowableConverter > class[2]: org.apache.activemq.command.MessageAck > required-type[2]: org.apache.activemq.command.MessageAck > converter-type[2] : > com.thoughtworks.xstream.converters.reflection.ReflectionConverter > version : 1.4.11.1 > --- > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:77)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshallField(AbstractReflectionConverter.java:499)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:425)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:277)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.extended.ThrowableConverter.unmarshal(ThrowableConverter.java:70)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshallField(AbstractReflectionConverter.java:499)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:425)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:277)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1] > at >
[jira] [Commented] (AMQ-8097) Harden deserialization block xstream ack processing
[ https://issues.apache.org/jira/browse/AMQ-8097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17246420#comment-17246420 ] Colm O hEigeartaigh commented on AMQ-8097: -- To fix the issue I think we should: * Add "java.lang" (not java.util) back to ClassLoadingAwareObjectInputStream * Take SubSelectorClassObjectInputStream out of MessageDatabaseObjectInputStream, and re-use it in SubQueueSelectorCacheBroker. > Harden deserialization block xstream ack processing > --- > > Key: AMQ-8097 > URL: https://issues.apache.org/jira/browse/AMQ-8097 > Project: ActiveMQ > Issue Type: Bug > Components: Broker >Affects Versions: 5.16.0, 5.15.13 >Reporter: Jean-Baptiste Onofré >Assignee: Jean-Baptiste Onofré >Priority: Major > Fix For: 5.16.1, 5.15.15 > > > Since we improve serialization security (see AMQ-7438), when a message has to > be loaded from store and the message is xstream serialized, it fails with: > {code:java} > 2020-12-04 16:42:26,107 | WARN | / | org.eclipse.jetty.server.HttpChannel | > qtp1987354705-137568 > com.thoughtworks.xstream.converters.ConversionException: > Debugging information > cause-exception : > com.thoughtworks.xstream.security.ForbiddenClassException > cause-message : java.lang.StackTraceElement > class : [Ljava.lang.StackTraceElement; > required-type : [Ljava.lang.StackTraceElement; > converter-type : > com.thoughtworks.xstream.converters.collections.ArrayConverter > path: > /org.apache.activemq.command.MessageAck/poisonCause/stackTrace/trace > line number : 28 > class[1]: java.lang.Throwable > required-type[1]: java.lang.Throwable > converter-type[1] : > com.thoughtworks.xstream.converters.extended.ThrowableConverter > class[2]: org.apache.activemq.command.MessageAck > required-type[2]: org.apache.activemq.command.MessageAck > converter-type[2] : > com.thoughtworks.xstream.converters.reflection.ReflectionConverter > version : 1.4.11.1 > --- > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:77)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshallField(AbstractReflectionConverter.java:499)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:425)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:277)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.extended.ThrowableConverter.unmarshal(ThrowableConverter.java:70)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshallField(AbstractReflectionConverter.java:499)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:425)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:277)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:50)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:134)[xstream-1.4.11.1.jar:1.4.11.1] > at >
[jira] [Assigned] (AMQ-8011) Performance Related issue in ClassLoadingAwareObjectInputStream.checkSecurity( )
[ https://issues.apache.org/jira/browse/AMQ-8011?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh reassigned AMQ-8011: Assignee: Jean-Baptiste Onofré > Performance Related issue in > ClassLoadingAwareObjectInputStream.checkSecurity( ) > > > Key: AMQ-8011 > URL: https://issues.apache.org/jira/browse/AMQ-8011 > Project: ActiveMQ > Issue Type: Improvement > Components: JMS client >Affects Versions: 5.14.5 >Reporter: Andrew Levandoski >Assignee: Jean-Baptiste Onofré >Priority: Major > Fix For: 5.17.0, 5.16.1, 5.15.14 > > Time Spent: 0.5h > Remaining Estimate: 0h > > ClassLoadingAwareObjectInputStream.checkSecurity( ) is inefficient as it's > repeatedly calling Class.getPackage( ). > It only needs to be invoked once. > It doesn't need to be invoked at all if trustAllPackage( ) == true > > Class.getPackage( ) calls Package.getPackage( ) > Package.getPackage( ) calls ClassLoader.getPackage(name) > ClassLoader.getPackage( ) contains a synchronized block (on HashMap) that > ends up delaying other threads when: > * The rate of messaging is very high when security is enabled. > * it's made worse by the number of packages in TRUSTED_PACKAGES > * also made worse by the ordering of packages in TRUSTED_PACKAGES > * if the package being compared is further down the list, it exacerbates the > issue. > We have seen our code calling clazz.getPackage( ) upwards of 15 times during > the handling of a single message. > > > StackTrace of delayed threads: > {code:java} > "ActiveMQ Session Task-1280" #164931 prio=7 os_prio=0 tid=0x7f2764002800 > nid=0x522d waiting for monitor entry [0x7f24c3436000] >java.lang.Thread.State: BLOCKED (on object monitor) > at java.lang.ClassLoader.getPackage(ClassLoader.java:1611) > - waiting to lock <0x0006dd9b39c0> (a java.util.HashMap) > at java.lang.Package.getPackage(Package.java:334) > at java.lang.Class.getPackage(Class.java:796) > at > org.apache.activemq.util.ClassLoadingAwareObjectInputStream.checkSecurity(ClassLoadingAwareObjectInputStream.java:106) > at > org.apache.activemq.util.ClassLoadingAwareObjectInputStream.resolveClass(ClassLoadingAwareObjectInputStream.java:57) > at > java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1924) > at > java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1807) > at > java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1941) > at > java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1807) > at > java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1941) > at > java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1807) > at > java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2098) > at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1624) > at java.io.ObjectInputStream.readObject(ObjectInputStream.java:464) > at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422) > at java.util.ArrayList.readObject(ArrayList.java:797) > at sun.reflect.GeneratedMethodAccessor97.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1184) > at > java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2234) > at > java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2125) > at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1624) > at > java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2343) > at > java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2267) > at > java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2125) > at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1624) > at > java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2343) > at > java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2267) > at > java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2125) > at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1624) > at java.io.ObjectInputStream.readObject(ObjectInputStream.java:464) > at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422) > at > org.apache.activemq.command.ActiveMQObjectMessage.getObject(ActiveMQObjectMessage.java:206) > {code} > > StackTrace of the thread
[jira] [Created] (AMQ-8062) Some dependency updates
Colm O hEigeartaigh created AMQ-8062: Summary: Some dependency updates Key: AMQ-8062 URL: https://issues.apache.org/jira/browse/AMQ-8062 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Fix For: 5.17.0, 5.16.1, 5.15.14 This task is to update: * Tomcat: 9.0.35 -> 9.0.39 (many CVEs) * Shiro: 1.5.3 -> 1.7.0 (many CVEs) * Ant: 1.10.7 -> 1.10.9 (CVE-2020-11979) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (AMQ-8043) Update Spring to 4.3.29.RELEASE
[ https://issues.apache.org/jira/browse/AMQ-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh reassigned AMQ-8043: Assignee: Colm O hEigeartaigh > Update Spring to 4.3.29.RELEASE > --- > > Key: AMQ-8043 > URL: https://issues.apache.org/jira/browse/AMQ-8043 > Project: ActiveMQ > Issue Type: Task >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 5.17.0, 5.16.1, 5.15.14 > > Time Spent: 10m > Remaining Estimate: 0h > > We should update Spring to 4.3.29.RELEASE to pick up a recent CVE fix: > https://tanzu.vmware.com/security/cve-2020-5421 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (AMQ-8043) Update Spring to 4.3.29.RELEASE
[ https://issues.apache.org/jira/browse/AMQ-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on AMQ-8043 started by Colm O hEigeartaigh. > Update Spring to 4.3.29.RELEASE > --- > > Key: AMQ-8043 > URL: https://issues.apache.org/jira/browse/AMQ-8043 > Project: ActiveMQ > Issue Type: Task >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 5.17.0, 5.16.1, 5.15.14 > > Time Spent: 10m > Remaining Estimate: 0h > > We should update Spring to 4.3.29.RELEASE to pick up a recent CVE fix: > https://tanzu.vmware.com/security/cve-2020-5421 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-8043) Update Spring to 4.3.29.RELEASE
Colm O hEigeartaigh created AMQ-8043: Summary: Update Spring to 4.3.29.RELEASE Key: AMQ-8043 URL: https://issues.apache.org/jira/browse/AMQ-8043 Project: ActiveMQ Issue Type: Task Reporter: Colm O hEigeartaigh Fix For: 5.17.0, 5.16.1, 5.15.14 We should update Spring to 4.3.29.RELEASE to pick up a recent CVE fix: https://tanzu.vmware.com/security/cve-2020-5421 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (AMQ-8024) Escape JMSDestination output in message.jsp
[ https://issues.apache.org/jira/browse/AMQ-8024?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh reassigned AMQ-8024: Assignee: Jean-Baptiste Onofré (was: Colm O hEigeartaigh) > Escape JMSDestination output in message.jsp > --- > > Key: AMQ-8024 > URL: https://issues.apache.org/jira/browse/AMQ-8024 > Project: ActiveMQ > Issue Type: Task > Components: Web Console >Reporter: Colm O hEigeartaigh >Assignee: Jean-Baptiste Onofré >Priority: Major > Fix For: 5.17.0, 5.16.1, 5.15.14 > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Escape JMSDestination output in message.jsp. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-8024) Escape JMSDestination output in message.jsp
[ https://issues.apache.org/jira/browse/AMQ-8024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17198172#comment-17198172 ] Colm O hEigeartaigh commented on AMQ-8024: -- [~jbonofre] - Please make sure this fix is cherrypicked to 5.16.x + 5.15.x: [https://github.com/apache/activemq/commit/4450c17c1c836a1daa7541dcb944f35798258197] > Escape JMSDestination output in message.jsp > --- > > Key: AMQ-8024 > URL: https://issues.apache.org/jira/browse/AMQ-8024 > Project: ActiveMQ > Issue Type: Task > Components: Web Console >Reporter: Colm O hEigeartaigh >Assignee: Jean-Baptiste Onofré >Priority: Major > Fix For: 5.17.0, 5.16.1, 5.15.14 > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Escape JMSDestination output in message.jsp. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Reopened] (AMQ-8035) Support authentication over anonymous connection context in LDAPLoginModule
[ https://issues.apache.org/jira/browse/AMQ-8035?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh reopened AMQ-8035: -- Assignee: Jean-Baptiste Onofré (was: Gary Tully) @assignee Please cherry-pick [~gtully] 's fix back to 5.16.x + 5.15.x. > Support authentication over anonymous connection context in LDAPLoginModule > --- > > Key: AMQ-8035 > URL: https://issues.apache.org/jira/browse/AMQ-8035 > Project: ActiveMQ > Issue Type: Bug > Components: Security/JAAS >Affects Versions: 5.16.0 >Reporter: Gary Tully >Assignee: Jean-Baptiste Onofré >Priority: Major > Fix For: 5.17.0, 5.16.1, 5.15.14 > > > if the ldap provider supports anonymous binds, and the ldap login module is > configured to make use of those, it should still be possible to verify bind > credentials from client connections and revert to anonymous for further > mapping work. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (AMQ-8035) Support authentication over anonymous connection context in LDAPLoginModule
[ https://issues.apache.org/jira/browse/AMQ-8035?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17195286#comment-17195286 ] Colm O hEigeartaigh edited comment on AMQ-8035 at 9/14/20, 8:34 AM: [~jbonofre] Please cherry-pick [~gtully] 's fix back to 5.16.x + 5.15.x. was (Author: coheigea): @assignee Please cherry-pick [~gtully] 's fix back to 5.16.x + 5.15.x. > Support authentication over anonymous connection context in LDAPLoginModule > --- > > Key: AMQ-8035 > URL: https://issues.apache.org/jira/browse/AMQ-8035 > Project: ActiveMQ > Issue Type: Bug > Components: Security/JAAS >Affects Versions: 5.16.0 >Reporter: Gary Tully >Assignee: Jean-Baptiste Onofré >Priority: Major > Fix For: 5.17.0, 5.16.1, 5.15.14 > > > if the ldap provider supports anonymous binds, and the ldap login module is > configured to make use of those, it should still be possible to verify bind > credentials from client connections and revert to anonymous for further > mapping work. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (AMQ-8035) Support authentication over anonymous connection context in LDAPLoginModule
[ https://issues.apache.org/jira/browse/AMQ-8035?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated AMQ-8035: - Fix Version/s: 5.15.14 5.16.1 > Support authentication over anonymous connection context in LDAPLoginModule > --- > > Key: AMQ-8035 > URL: https://issues.apache.org/jira/browse/AMQ-8035 > Project: ActiveMQ > Issue Type: Bug > Components: Security/JAAS >Affects Versions: 5.16.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Fix For: 5.17.0, 5.16.1, 5.15.14 > > > if the ldap provider supports anonymous binds, and the ldap login module is > configured to make use of those, it should still be possible to verify bind > credentials from client connections and revert to anonymous for further > mapping work. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-8035) Support authentication over anonymous connection context in LDAPLoginModule
[ https://issues.apache.org/jira/browse/AMQ-8035?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17194308#comment-17194308 ] Colm O hEigeartaigh commented on AMQ-8035: -- [~gtully] - Can you backport to 5.16.x + 5.15.x as well please? > Support authentication over anonymous connection context in LDAPLoginModule > --- > > Key: AMQ-8035 > URL: https://issues.apache.org/jira/browse/AMQ-8035 > Project: ActiveMQ > Issue Type: Bug > Components: Security/JAAS >Affects Versions: 5.16.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Fix For: 5.17.0 > > > if the ldap provider supports anonymous binds, and the ldap login module is > configured to make use of those, it should still be possible to verify bind > credentials from client connections and revert to anonymous for further > mapping work. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-8011) Performance Related issue in ClassLoadingAwareObjectInputStream.checkSecurity( )
[ https://issues.apache.org/jira/browse/AMQ-8011?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17194287#comment-17194287 ] Colm O hEigeartaigh commented on AMQ-8011: -- [~levandos] - Yes that looks good to me, can you submit a pull request here please? [https://github.com/apache/activemq/pulls] > Performance Related issue in > ClassLoadingAwareObjectInputStream.checkSecurity( ) > > > Key: AMQ-8011 > URL: https://issues.apache.org/jira/browse/AMQ-8011 > Project: ActiveMQ > Issue Type: Improvement > Components: JMS client >Affects Versions: 5.14.5 >Reporter: Andrew Levandoski >Priority: Major > Fix For: 5.17.0, 5.16.1, 5.15.14 > > > ClassLoadingAwareObjectInputStream.checkSecurity( ) is inefficient as it's > repeatedly calling Class.getPackage( ). > It only needs to be invoked once. > It doesn't need to be invoked at all if trustAllPackage( ) == true > > Class.getPackage( ) calls Package.getPackage( ) > Package.getPackage( ) calls ClassLoader.getPackage(name) > ClassLoader.getPackage( ) contains a synchronized block (on HashMap) that > ends up delaying other threads when: > * The rate of messaging is very high when security is enabled. > * it's made worse by the number of packages in TRUSTED_PACKAGES > * also made worse by the ordering of packages in TRUSTED_PACKAGES > * if the package being compared is further down the list, it exacerbates the > issue. > We have seen our code calling clazz.getPackage( ) upwards of 15 times during > the handling of a single message. > > > StackTrace of delayed threads: > {code:java} > "ActiveMQ Session Task-1280" #164931 prio=7 os_prio=0 tid=0x7f2764002800 > nid=0x522d waiting for monitor entry [0x7f24c3436000] >java.lang.Thread.State: BLOCKED (on object monitor) > at java.lang.ClassLoader.getPackage(ClassLoader.java:1611) > - waiting to lock <0x0006dd9b39c0> (a java.util.HashMap) > at java.lang.Package.getPackage(Package.java:334) > at java.lang.Class.getPackage(Class.java:796) > at > org.apache.activemq.util.ClassLoadingAwareObjectInputStream.checkSecurity(ClassLoadingAwareObjectInputStream.java:106) > at > org.apache.activemq.util.ClassLoadingAwareObjectInputStream.resolveClass(ClassLoadingAwareObjectInputStream.java:57) > at > java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1924) > at > java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1807) > at > java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1941) > at > java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1807) > at > java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1941) > at > java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1807) > at > java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2098) > at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1624) > at java.io.ObjectInputStream.readObject(ObjectInputStream.java:464) > at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422) > at java.util.ArrayList.readObject(ArrayList.java:797) > at sun.reflect.GeneratedMethodAccessor97.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1184) > at > java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2234) > at > java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2125) > at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1624) > at > java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2343) > at > java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2267) > at > java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2125) > at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1624) > at > java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2343) > at > java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2267) > at > java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2125) > at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1624) > at java.io.ObjectInputStream.readObject(ObjectInputStream.java:464) > at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422) > at > org.apache.activemq.command.ActiveMQObjectMessage.getObject(ActiveMQObjectMessage.java:206) > {code} >
[jira] [Updated] (AMQ-8011) Performance Related issue in ClassLoadingAwareObjectInputStream.checkSecurity( )
[ https://issues.apache.org/jira/browse/AMQ-8011?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated AMQ-8011: - Fix Version/s: 5.15.14 5.16.1 5.17.0 > Performance Related issue in > ClassLoadingAwareObjectInputStream.checkSecurity( ) > > > Key: AMQ-8011 > URL: https://issues.apache.org/jira/browse/AMQ-8011 > Project: ActiveMQ > Issue Type: Improvement > Components: JMS client >Affects Versions: 5.14.5 >Reporter: Andrew Levandoski >Priority: Major > Fix For: 5.17.0, 5.16.1, 5.15.14 > > > ClassLoadingAwareObjectInputStream.checkSecurity( ) is inefficient as it's > repeatedly calling Class.getPackage( ). > It only needs to be invoked once. > It doesn't need to be invoked at all if trustAllPackage( ) == true > > Class.getPackage( ) calls Package.getPackage( ) > Package.getPackage( ) calls ClassLoader.getPackage(name) > ClassLoader.getPackage( ) contains a synchronized block (on HashMap) that > ends up delaying other threads when: > * The rate of messaging is very high when security is enabled. > * it's made worse by the number of packages in TRUSTED_PACKAGES > * also made worse by the ordering of packages in TRUSTED_PACKAGES > * if the package being compared is further down the list, it exacerbates the > issue. > We have seen our code calling clazz.getPackage( ) upwards of 15 times during > the handling of a single message. > > > StackTrace of delayed threads: > {code:java} > "ActiveMQ Session Task-1280" #164931 prio=7 os_prio=0 tid=0x7f2764002800 > nid=0x522d waiting for monitor entry [0x7f24c3436000] >java.lang.Thread.State: BLOCKED (on object monitor) > at java.lang.ClassLoader.getPackage(ClassLoader.java:1611) > - waiting to lock <0x0006dd9b39c0> (a java.util.HashMap) > at java.lang.Package.getPackage(Package.java:334) > at java.lang.Class.getPackage(Class.java:796) > at > org.apache.activemq.util.ClassLoadingAwareObjectInputStream.checkSecurity(ClassLoadingAwareObjectInputStream.java:106) > at > org.apache.activemq.util.ClassLoadingAwareObjectInputStream.resolveClass(ClassLoadingAwareObjectInputStream.java:57) > at > java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1924) > at > java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1807) > at > java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1941) > at > java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1807) > at > java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1941) > at > java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1807) > at > java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2098) > at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1624) > at java.io.ObjectInputStream.readObject(ObjectInputStream.java:464) > at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422) > at java.util.ArrayList.readObject(ArrayList.java:797) > at sun.reflect.GeneratedMethodAccessor97.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1184) > at > java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2234) > at > java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2125) > at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1624) > at > java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2343) > at > java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2267) > at > java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2125) > at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1624) > at > java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2343) > at > java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2267) > at > java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2125) > at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1624) > at java.io.ObjectInputStream.readObject(ObjectInputStream.java:464) > at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422) > at > org.apache.activemq.command.ActiveMQObjectMessage.getObject(ActiveMQObjectMessage.java:206) > {code} > > StackTrace of the thread holding the lock: > {noformat} > "ActiveMQ Session Task-3517"
[jira] [Work started] (AMQ-8037) Update Jetty to 9.4.31.v20200723
[ https://issues.apache.org/jira/browse/AMQ-8037?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on AMQ-8037 started by Colm O hEigeartaigh. > Update Jetty to 9.4.31.v20200723 > > > Key: AMQ-8037 > URL: https://issues.apache.org/jira/browse/AMQ-8037 > Project: ActiveMQ > Issue Type: Task >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 5.17.0, 5.16.1, 5.15.14 > > Time Spent: 10m > Remaining Estimate: 0h > > This task is to update Jetty to 9.4.31.v20200723 to fix some CVEs: > * [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17638] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (AMQ-8037) Update Jetty to 9.4.31.v20200723
[ https://issues.apache.org/jira/browse/AMQ-8037?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh reassigned AMQ-8037: Assignee: Colm O hEigeartaigh > Update Jetty to 9.4.31.v20200723 > > > Key: AMQ-8037 > URL: https://issues.apache.org/jira/browse/AMQ-8037 > Project: ActiveMQ > Issue Type: Task >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 5.17.0, 5.16.1, 5.15.14 > > Time Spent: 10m > Remaining Estimate: 0h > > This task is to update Jetty to 9.4.31.v20200723 to fix some CVEs: > * [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17638] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-8037) Update Jetty to 9.4.31.v20200723
Colm O hEigeartaigh created AMQ-8037: Summary: Update Jetty to 9.4.31.v20200723 Key: AMQ-8037 URL: https://issues.apache.org/jira/browse/AMQ-8037 Project: ActiveMQ Issue Type: Task Reporter: Colm O hEigeartaigh Fix For: 5.17.0, 5.16.1, 5.15.14 This task is to update Jetty to 9.4.31.v20200723 to fix some CVEs: * [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17638] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (AMQ-8036) Update Jackson Databind to 2.9.10.6
[ https://issues.apache.org/jira/browse/AMQ-8036?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on AMQ-8036 started by Colm O hEigeartaigh. > Update Jackson Databind to 2.9.10.6 > --- > > Key: AMQ-8036 > URL: https://issues.apache.org/jira/browse/AMQ-8036 > Project: ActiveMQ > Issue Type: Task >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 5.17.0, 5.16.1, 5.15.14 > > Time Spent: 10m > Remaining Estimate: 0h > > This task is to update Jackson Databind to 2.9.10.6 to pick up a CVE fix for: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24616 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-8036) Update Jackson Databind to 2.9.10.6
Colm O hEigeartaigh created AMQ-8036: Summary: Update Jackson Databind to 2.9.10.6 Key: AMQ-8036 URL: https://issues.apache.org/jira/browse/AMQ-8036 Project: ActiveMQ Issue Type: Task Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.17.0, 5.16.1, 5.15.14 This task is to update Jackson Databind to 2.9.10.6 to pick up a CVE fix for: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24616 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-8029) Place a bound on the data read in MessageServletSupport
Colm O hEigeartaigh created AMQ-8029: Summary: Place a bound on the data read in MessageServletSupport Key: AMQ-8029 URL: https://issues.apache.org/jira/browse/AMQ-8029 Project: ActiveMQ Issue Type: Task Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.17.0, 5.16.1, 5.15.14 This task is to place a bound on the amount of data read in MessageServletSupport, as otherwise BufferedReader.readLine() will block until all data is read, potentially leading to a java.lang.OutOfMemoryError: Java heap space error. I introduced a dependency on commons-io's BoundedInputStream for this, with a default (configurable) bound of 10 bytes. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (AMQ-8024) Escape JMSDestination output in message.jsp
[ https://issues.apache.org/jira/browse/AMQ-8024?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on AMQ-8024 started by Colm O hEigeartaigh. > Escape JMSDestination output in message.jsp > --- > > Key: AMQ-8024 > URL: https://issues.apache.org/jira/browse/AMQ-8024 > Project: ActiveMQ > Issue Type: Task >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 5.16.1, 5.15.14 > > Time Spent: 10m > Remaining Estimate: 0h > > Escape JMSDestination output in message.jsp. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-8024) Escape JMSDestination output in message.jsp
Colm O hEigeartaigh created AMQ-8024: Summary: Escape JMSDestination output in message.jsp Key: AMQ-8024 URL: https://issues.apache.org/jira/browse/AMQ-8024 Project: ActiveMQ Issue Type: Task Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.1, 5.15.14 Escape JMSDestination output in message.jsp. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Closed] (AMQ-8009) Spring upgrade required for Karaf feature
[ https://issues.apache.org/jira/browse/AMQ-8009?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh closed AMQ-8009. Resolution: Won't Fix > Spring upgrade required for Karaf feature > - > > Key: AMQ-8009 > URL: https://issues.apache.org/jira/browse/AMQ-8009 > Project: ActiveMQ > Issue Type: Task >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 5.17.0, 5.16.1, 5.15.14 > > Time Spent: 40m > Remaining Estimate: 0h > > Currently deploying activemq-client in Karaf with Spring 5 fails with: > osgi.identity; osgi.identity=activemq-client; type=karaf.feature; > version="[5.16.0,5.16.0]"; > filter:="(&(osgi.identity=activemq-client)(type=karaf.feature)(version>=5.16.0)(version<=5.16.0))" > [caused by: Unable to resolve activemq-client/5.16.0: missing requirement > [activemq-client/5.16.0] osgi.identity; osgi.identity=spring; > type=karaf.feature; version="[4.0.0,5.0.0)"] > We need to allow Spring 5 here in the feature. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (AMQ-8020) Replace toLowerCase().equals() with equalsIgnoreCase
[ https://issues.apache.org/jira/browse/AMQ-8020?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on AMQ-8020 started by Colm O hEigeartaigh. > Replace toLowerCase().equals() with equalsIgnoreCase > > > Key: AMQ-8020 > URL: https://issues.apache.org/jira/browse/AMQ-8020 > Project: ActiveMQ > Issue Type: Task >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Trivial > Fix For: 5.17.0, 5.16.1 > > Time Spent: 10m > Remaining Estimate: 0h > > There are a few instances in the code where toLowerCase().equals() is used, > when equalsIgnoreCase() would suffice. The latter is more concise + also > doesn't involve the default Locale that's used with toLowerCase(), which > might be problematic depending on the String being compared. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (AMQ-8020) Replace toLowerCase().equals() with equalsIgnoreCase
[ https://issues.apache.org/jira/browse/AMQ-8020?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh reassigned AMQ-8020: Assignee: Colm O hEigeartaigh > Replace toLowerCase().equals() with equalsIgnoreCase > > > Key: AMQ-8020 > URL: https://issues.apache.org/jira/browse/AMQ-8020 > Project: ActiveMQ > Issue Type: Task >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Trivial > Fix For: 5.17.0, 5.16.1 > > > There are a few instances in the code where toLowerCase().equals() is used, > when equalsIgnoreCase() would suffice. The latter is more concise + also > doesn't involve the default Locale that's used with toLowerCase(), which > might be problematic depending on the String being compared. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-8020) Replace toLowerCase().equals() with equalsIgnoreCase
Colm O hEigeartaigh created AMQ-8020: Summary: Replace toLowerCase().equals() with equalsIgnoreCase Key: AMQ-8020 URL: https://issues.apache.org/jira/browse/AMQ-8020 Project: ActiveMQ Issue Type: Task Reporter: Colm O hEigeartaigh Fix For: 5.17.0, 5.16.1 There are a few instances in the code where toLowerCase().equals() is used, when equalsIgnoreCase() would suffice. The latter is more concise + also doesn't involve the default Locale that's used with toLowerCase(), which might be problematic depending on the String being compared. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (AMQ-8009) Spring upgrade required for Karaf feature
[ https://issues.apache.org/jira/browse/AMQ-8009?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on AMQ-8009 started by Colm O hEigeartaigh. > Spring upgrade required for Karaf feature > - > > Key: AMQ-8009 > URL: https://issues.apache.org/jira/browse/AMQ-8009 > Project: ActiveMQ > Issue Type: Task >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 5.17.0, 5.16.1, 5.15.14 > > Time Spent: 10m > Remaining Estimate: 0h > > Currently deploying activemq-client in Karaf with Spring 5 fails with: > osgi.identity; osgi.identity=activemq-client; type=karaf.feature; > version="[5.16.0,5.16.0]"; > filter:="(&(osgi.identity=activemq-client)(type=karaf.feature)(version>=5.16.0)(version<=5.16.0))" > [caused by: Unable to resolve activemq-client/5.16.0: missing requirement > [activemq-client/5.16.0] osgi.identity; osgi.identity=spring; > type=karaf.feature; version="[4.0.0,5.0.0)"] > We need to allow Spring 5 here in the feature. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-8009) Spring upgrade required for Karaf feature
Colm O hEigeartaigh created AMQ-8009: Summary: Spring upgrade required for Karaf feature Key: AMQ-8009 URL: https://issues.apache.org/jira/browse/AMQ-8009 Project: ActiveMQ Issue Type: Task Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.17.0, 5.16.1, 5.15.14 Currently deploying activemq-client in Karaf with Spring 5 fails with: osgi.identity; osgi.identity=activemq-client; type=karaf.feature; version="[5.16.0,5.16.0]"; filter:="(&(osgi.identity=activemq-client)(type=karaf.feature)(version>=5.16.0)(version<=5.16.0))" [caused by: Unable to resolve activemq-client/5.16.0: missing requirement [activemq-client/5.16.0] osgi.identity; osgi.identity=spring; type=karaf.feature; version="[4.0.0,5.0.0)"] We need to allow Spring 5 here in the feature. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (AMQ-7513) Fix http://activemq.org links
[ https://issues.apache.org/jira/browse/AMQ-7513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on AMQ-7513 started by Colm O hEigeartaigh. > Fix http://activemq.org links > - > > Key: AMQ-7513 > URL: https://issues.apache.org/jira/browse/AMQ-7513 > Project: ActiveMQ > Issue Type: Task >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Trivial > Fix For: 5.16.1 > > Time Spent: 10m > Remaining Estimate: 0h > > There are numerous instances in the javadoc + test config to > [http://activemq.org,|http://activemq.org,/] none of which actually resolve > to useful pages. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7513) Fix http://activemq.org links
Colm O hEigeartaigh created AMQ-7513: Summary: Fix http://activemq.org links Key: AMQ-7513 URL: https://issues.apache.org/jira/browse/AMQ-7513 Project: ActiveMQ Issue Type: Task Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.1 There are numerous instances in the javadoc + test config to [http://activemq.org,|http://activemq.org,/] none of which actually resolve to useful pages. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (AMQ-7512) Consolidate XBean byte parsing
[ https://issues.apache.org/jira/browse/AMQ-7512?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on AMQ-7512 started by Colm O hEigeartaigh. > Consolidate XBean byte parsing > -- > > Key: AMQ-7512 > URL: https://issues.apache.org/jira/browse/AMQ-7512 > Project: ActiveMQ > Issue Type: Task >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Minor > Fix For: 5.16.1 > > Time Spent: 10m > Remaining Estimate: 0h > > There are three different instances in the codebase where it maps something > like 50 GB -> the byte equivalent for XBean. This task is to consolidate this > functionality in one place. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7512) Consolidate XBean byte parsing
Colm O hEigeartaigh created AMQ-7512: Summary: Consolidate XBean byte parsing Key: AMQ-7512 URL: https://issues.apache.org/jira/browse/AMQ-7512 Project: ActiveMQ Issue Type: Task Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.1 There are three different instances in the codebase where it maps something like 50 GB -> the byte equivalent for XBean. This task is to consolidate this functionality in one place. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (AMQ-7511) Update Jackson Databind to 2.9.10.5
[ https://issues.apache.org/jira/browse/AMQ-7511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on AMQ-7511 started by Colm O hEigeartaigh. > Update Jackson Databind to 2.9.10.5 > --- > > Key: AMQ-7511 > URL: https://issues.apache.org/jira/browse/AMQ-7511 > Project: ActiveMQ > Issue Type: Task >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 5.16.1, 5.15.14 > > Time Spent: 10m > Remaining Estimate: 0h > > This task is to update Jackson Databind yet again to 2.9.10.5 to pick up > multiple CVE fixes, e.g.: > * [https://nvd.nist.gov/vuln/detail/CVE-2020-14060] > * [https://nvd.nist.gov/vuln/detail/CVE-2020-14195] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7511) Update Jackson Databind to 2.9.10.5
Colm O hEigeartaigh created AMQ-7511: Summary: Update Jackson Databind to 2.9.10.5 Key: AMQ-7511 URL: https://issues.apache.org/jira/browse/AMQ-7511 Project: ActiveMQ Issue Type: Task Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.1, 5.15.14 This task is to update Jackson Databind yet again to 2.9.10.5 to pick up multiple CVE fixes, e.g.: * [https://nvd.nist.gov/vuln/detail/CVE-2020-14060] * [https://nvd.nist.gov/vuln/detail/CVE-2020-14195] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7452) java.lang.IllegalStateException: Timer already cancelled.
[ https://issues.apache.org/jira/browse/AMQ-7452?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17125651#comment-17125651 ] Colm O hEigeartaigh commented on AMQ-7452: -- and how to reproduce the problem with the attached config? > java.lang.IllegalStateException: Timer already cancelled. > - > > Key: AMQ-7452 > URL: https://issues.apache.org/jira/browse/AMQ-7452 > Project: ActiveMQ > Issue Type: Bug > Components: Broker >Affects Versions: 5.15.3 >Reporter: wangxiaoqing >Priority: Blocker > Attachments: activemq.xml, docker-mq.yaml > > > 2020-03-24 12:54:47,990 | ERROR | Could not accept connection from > tcp://10.0.1.5:41212 : {} | org.apache.activemq.broker.TransportConnector | > ActiveMQ BrokerService[localhost] Task-174422020-03-24 12:54:47,990 | ERROR | > Could not accept connection from tcp://10.0.1.5:41212 : {} | > org.apache.activemq.broker.TransportConnector | ActiveMQ > BrokerService[localhost] Task-17442java.lang.IllegalStateException: Timer > already cancelled. at java.util.Timer.sched(Timer.java:397)[:1.8.0_191] at > java.util.Timer.schedule(Timer.java:193)[:1.8.0_191] at > org.apache.activemq.transport.AbstractInactivityMonitor.startConnectCheckTask(AbstractInactivityMonitor.java:425)[activemq-client-5.15.3.jar:5.15.3] > at > org.apache.activemq.transport.AbstractInactivityMonitor.startConnectCheckTask(AbstractInactivityMonitor.java:400)[activemq-client-5.15.3.jar:5.15.3] > at > org.apache.activemq.transport.InactivityMonitor.start(InactivityMonitor.java:50)[activemq-client-5.15.3.jar:5.15.3] > at > org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client-5.15.3.jar:5.15.3] > at > org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:72)[activemq-client-5.15.3.jar:5.15.3] > at > org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client-5.15.3.jar:5.15.3] > at > org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1066)[activemq-broker-5.15.3.jar:5.15.3] > at > org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)[activemq-broker-5.15.3.jar:5.15.3] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)[:1.8.0_191] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)[:1.8.0_191] > at java.lang.Thread.run(Thread.java:748)[:1.8.0_191] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7452) java.lang.IllegalStateException: Timer already cancelled.
[ https://issues.apache.org/jira/browse/AMQ-7452?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17118711#comment-17118711 ] Colm O hEigeartaigh commented on AMQ-7452: -- Please give more details about how to reproduce the stacktrace above. > java.lang.IllegalStateException: Timer already cancelled. > - > > Key: AMQ-7452 > URL: https://issues.apache.org/jira/browse/AMQ-7452 > Project: ActiveMQ > Issue Type: Bug > Components: Broker >Affects Versions: 5.15.3 >Reporter: wangxiaoqing >Priority: Blocker > > 2020-03-24 12:54:47,990 | ERROR | Could not accept connection from > tcp://10.0.1.5:41212 : {} | org.apache.activemq.broker.TransportConnector | > ActiveMQ BrokerService[localhost] Task-174422020-03-24 12:54:47,990 | ERROR | > Could not accept connection from tcp://10.0.1.5:41212 : {} | > org.apache.activemq.broker.TransportConnector | ActiveMQ > BrokerService[localhost] Task-17442java.lang.IllegalStateException: Timer > already cancelled. at java.util.Timer.sched(Timer.java:397)[:1.8.0_191] at > java.util.Timer.schedule(Timer.java:193)[:1.8.0_191] at > org.apache.activemq.transport.AbstractInactivityMonitor.startConnectCheckTask(AbstractInactivityMonitor.java:425)[activemq-client-5.15.3.jar:5.15.3] > at > org.apache.activemq.transport.AbstractInactivityMonitor.startConnectCheckTask(AbstractInactivityMonitor.java:400)[activemq-client-5.15.3.jar:5.15.3] > at > org.apache.activemq.transport.InactivityMonitor.start(InactivityMonitor.java:50)[activemq-client-5.15.3.jar:5.15.3] > at > org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client-5.15.3.jar:5.15.3] > at > org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:72)[activemq-client-5.15.3.jar:5.15.3] > at > org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client-5.15.3.jar:5.15.3] > at > org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1066)[activemq-broker-5.15.3.jar:5.15.3] > at > org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)[activemq-broker-5.15.3.jar:5.15.3] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)[:1.8.0_191] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)[:1.8.0_191] > at java.lang.Thread.run(Thread.java:748)[:1.8.0_191] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7491) ActiveMQ illegal occupation vulnerability
[ https://issues.apache.org/jira/browse/AMQ-7491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17118709#comment-17118709 ] Colm O hEigeartaigh commented on AMQ-7491: -- I will contact you. > ActiveMQ illegal occupation vulnerability > - > > Key: AMQ-7491 > URL: https://issues.apache.org/jira/browse/AMQ-7491 > Project: ActiveMQ > Issue Type: Bug > Components: AMQP, Broker >Affects Versions: 5.15.12 > Environment: We build a script used JavaScript to interact with the > broker in ActiveMQ 5.15.12. > The experiment is performed on Windows10 1903 version. >Reporter: wang Jessie >Priority: Blocker > Labels: security > Attachments: 1590234052205.png > > > *Description:* Two client with the same Container-Id are not allowed to > connect to the broker. When we send *two OPEN packet with same the > Container-Id*, the broker will return error and the client will close the TCP > connection. The client with this Container-Id will *never be able to connect > with the broker* unless the broker resets. This vulnerability can be > exploited by the adversary to perform the aforementioned attacks on many > Container-Id to make a huge set of clients unable to connect with the broker. > As the ActiveMQ are widely adopted by the IoT vendors, this can be a > vulnerability affected a wide range. > Following are the details. > We send *two OPEN packets with the same Container-Id 1* and we can learn from > the log A in the attached picture in the broker side that the broker returned > close packets and the client closed this TCP connection with the broker. > Then we build a new client to connect with the broker using the same > Container-Id 1, we can learn from the log B in the attached pictur that the > broker returned errors as the broker believe the client with Container-Id 1 > already connected. > *Suggestion for repair:* May be the state of the broker after received two > OPEN packets could be checked and the connection state of the client could be > updated when the TCP connection is closed. > > :)I hope what I found can do some help and if you want further discussion, > please email me by [wangqiny...@zju.edu.cn|mailto:wangqiny...@zju.edu.cn]. > Thanks for spending your time on my issue. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7491) ActiveMQ illegal occupation vulnerability
[ https://issues.apache.org/jira/browse/AMQ-7491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17116038#comment-17116038 ] Colm O hEigeartaigh commented on AMQ-7491: -- Can you share the script your are using to reproduce the problem? > ActiveMQ illegal occupation vulnerability > - > > Key: AMQ-7491 > URL: https://issues.apache.org/jira/browse/AMQ-7491 > Project: ActiveMQ > Issue Type: Bug > Components: AMQP, Broker >Affects Versions: 5.15.12 > Environment: We build a script used JavaScript to interact with the > broker in ActiveMQ 5.15.12. > The experiment is performed on Windows10 1903 version. >Reporter: wang Jessie >Priority: Blocker > Labels: security > Attachments: 1590234052205.png > > > *Description:* Two client with the same Container-Id are not allowed to > connect to the broker. When we send *two OPEN packet with same the > Container-Id*, the broker will return error and the client will close the TCP > connection. The client with this Container-Id will *never be able to connect > with the broker* unless the broker resets. This vulnerability can be > exploited by the adversary to perform the aforementioned attacks on many > Container-Id to make a huge set of clients unable to connect with the broker. > As the ActiveMQ are widely adopted by the IoT vendors, this can be a > vulnerability affected a wide range. > Following are the details. > We send *two OPEN packets with the same Container-Id 1* and we can learn from > the log A in the attached picture in the broker side that the broker returned > close packets and the client closed this TCP connection with the broker. > Then we build a new client to connect with the broker using the same > Container-Id 1, we can learn from the log B in the attached pictur that the > broker returned errors as the broker believe the client with Container-Id 1 > already connected. > *Suggestion for repair:* May be the state of the broker after received two > OPEN packets could be checked and the connection state of the client could be > updated when the TCP connection is closed. > > :)I hope what I found can do some help and if you want further discussion, > please email me by [wangqiny...@zju.edu.cn|mailto:wangqiny...@zju.edu.cn]. > Thanks for spending your time on my issue. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7490) Fix JMX regression
Colm O hEigeartaigh created AMQ-7490: Summary: Fix JMX regression Key: AMQ-7490 URL: https://issues.apache.org/jira/browse/AMQ-7490 Project: ActiveMQ Issue Type: Task Affects Versions: 5.15.12 Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.13 The fix for [https://github.com/apache/activemq/pull/444/files] caused a regression in ManagementContext, in that it passes an empty environment map to RMIConnectorServer. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (AMQ-7489) Update Tomcat to 9.0.35
[ https://issues.apache.org/jira/browse/AMQ-7489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated AMQ-7489: - Description: We should update Tomcat to 9.0.35 due to CVE-2020-9484 (was: We should update Tomcat to 9.0.34 due to CVE-2020-9484) > Update Tomcat to 9.0.35 > --- > > Key: AMQ-7489 > URL: https://issues.apache.org/jira/browse/AMQ-7489 > Project: ActiveMQ > Issue Type: Task >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 5.16.0, 5.15.13 > > Time Spent: 10m > Remaining Estimate: 0h > > We should update Tomcat to 9.0.35 due to CVE-2020-9484 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (AMQ-7489) Update Tomcat to 9.0.35
[ https://issues.apache.org/jira/browse/AMQ-7489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated AMQ-7489: - Summary: Update Tomcat to 9.0.35 (was: Update Tomcat to 9.0.34) > Update Tomcat to 9.0.35 > --- > > Key: AMQ-7489 > URL: https://issues.apache.org/jira/browse/AMQ-7489 > Project: ActiveMQ > Issue Type: Task >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 5.16.0, 5.15.13 > > Time Spent: 10m > Remaining Estimate: 0h > > We should update Tomcat to 9.0.34 due to CVE-2020-9484 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7489) Update Tomcat to 9.0.34
Colm O hEigeartaigh created AMQ-7489: Summary: Update Tomcat to 9.0.34 Key: AMQ-7489 URL: https://issues.apache.org/jira/browse/AMQ-7489 Project: ActiveMQ Issue Type: Task Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.13 We should update Tomcat to 9.0.34 due to CVE-2020-9484 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (AMQ-7484) Update Jackson Databind to 2.9.10.4
[ https://issues.apache.org/jira/browse/AMQ-7484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on AMQ-7484 started by Colm O hEigeartaigh. > Update Jackson Databind to 2.9.10.4 > --- > > Key: AMQ-7484 > URL: https://issues.apache.org/jira/browse/AMQ-7484 > Project: ActiveMQ > Issue Type: Bug >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 5.16.0, 5.15.13 > > > This task is to update Jackson Databind to 2.9.10.4, to get rid of another > load of CVEs (e.g. https://nvd.nist.gov/vuln/detail/CVE-2020-10672) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7484) Update Jackson Databind to 2.9.10.4
Colm O hEigeartaigh created AMQ-7484: Summary: Update Jackson Databind to 2.9.10.4 Key: AMQ-7484 URL: https://issues.apache.org/jira/browse/AMQ-7484 Project: ActiveMQ Issue Type: Bug Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.13 This task is to update Jackson Databind to 2.9.10.4, to get rid of another load of CVEs (e.g. https://nvd.nist.gov/vuln/detail/CVE-2020-10672) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7472) Update SLF4J to 1.7.30
Colm O hEigeartaigh created AMQ-7472: Summary: Update SLF4J to 1.7.30 Key: AMQ-7472 URL: https://issues.apache.org/jira/browse/AMQ-7472 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.13 This task is to update SLF4J to 1.7.30 to pick up a fix for [https://www.cvedetails.com/cve/CVE-2018-8088/] (fixed in 1.7.26) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (AMQ-7472) Update SLF4J to 1.7.30
[ https://issues.apache.org/jira/browse/AMQ-7472?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on AMQ-7472 started by Colm O hEigeartaigh. > Update SLF4J to 1.7.30 > -- > > Key: AMQ-7472 > URL: https://issues.apache.org/jira/browse/AMQ-7472 > Project: ActiveMQ > Issue Type: Improvement >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 5.16.0, 5.15.13 > > > This task is to update SLF4J to 1.7.30 to pick up a fix for > [https://www.cvedetails.com/cve/CVE-2018-8088/] (fixed in 1.7.26) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7458) Implement bounds checking on the message scheduling properties
Colm O hEigeartaigh created AMQ-7458: Summary: Implement bounds checking on the message scheduling properties Key: AMQ-7458 URL: https://issues.apache.org/jira/browse/AMQ-7458 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0 This task is to implement bounds checking on the message scheduling properties. The values for delay, period + repeat should be rejected if they are < 0. Also, a maximum value should be set (and configurable) for the max repeat value, as it has the potential to cause a denial of service issue if many messages are sent with a repeat value of Integer.MAX_VALUE. In the accompanying PR, I've set the default max value to 1000. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7457) Support wider password encryption schemes
Colm O hEigeartaigh created AMQ-7457: Summary: Support wider password encryption schemes Key: AMQ-7457 URL: https://issues.apache.org/jira/browse/AMQ-7457 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0 For password encryption we only support the (default) algorithm PBEWithMD5AndDES. This task is to support more modern PBE algorithms for: * The activemq encrypt/decrypt script * JAAS properties In addition, we could use the more modern jasypt-spring4 dependency instead of jasypt-spring13 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7454) Remove xmpp artifacts
Colm O hEigeartaigh created AMQ-7454: Summary: Remove xmpp artifacts Key: AMQ-7454 URL: https://issues.apache.org/jira/browse/AMQ-7454 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.13 There are a few artifacts left over from activemq-xmpp, which should be removed. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7450) Put some restrictions on the URLs that are allowed in BlobMessages
Colm O hEigeartaigh created AMQ-7450: Summary: Put some restrictions on the URLs that are allowed in BlobMessages Key: AMQ-7450 URL: https://issues.apache.org/jira/browse/AMQ-7450 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.13 This task is to put some restrictions on the URLs that are allowed in BlobMessages. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7449) Update Shiro to 1.5.2
Colm O hEigeartaigh created AMQ-7449: Summary: Update Shiro to 1.5.2 Key: AMQ-7449 URL: https://issues.apache.org/jira/browse/AMQ-7449 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.13 We need to update Shiro to 1.5.2 due to CVE-2020-1957 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7447) Update copyright years
Colm O hEigeartaigh created AMQ-7447: Summary: Update copyright years Key: AMQ-7447 URL: https://issues.apache.org/jira/browse/AMQ-7447 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.13 There are numerous instances in the codebase where the copyright years are out of date, they should be updated. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7446) Remove some synchronized blocks in the MessageServlet
Colm O hEigeartaigh created AMQ-7446: Summary: Remove some synchronized blocks in the MessageServlet Key: AMQ-7446 URL: https://issues.apache.org/jira/browse/AMQ-7446 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0 It's possible to tidy up the code a bit in the MessageServlet to remove some synchronized blocks and improve throughput. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7440) Fix potential race condition in DiscoveryRegistryServlet
Colm O hEigeartaigh created AMQ-7440: Summary: Fix potential race condition in DiscoveryRegistryServlet Key: AMQ-7440 URL: https://issues.apache.org/jira/browse/AMQ-7440 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.15.13, 5.16.1 There is a potential race condition in DiscoveryRegistryServlet that could be fixed by making the getServiceGroup atomic. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7438) Harden deserialization
Colm O hEigeartaigh created AMQ-7438: Summary: Harden deserialization Key: AMQ-7438 URL: https://issues.apache.org/jira/browse/AMQ-7438 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.13 There are a few instances in the codebase where we can harden deserialization, to make it harder for an attacker to try to deserialize to a "gadget" class. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (AMQ-7435) Update Shiro to 1.5.1
[ https://issues.apache.org/jira/browse/AMQ-7435?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated AMQ-7435: - Fix Version/s: (was: 5.1.60) 5.16.0 > Update Shiro to 1.5.1 > - > > Key: AMQ-7435 > URL: https://issues.apache.org/jira/browse/AMQ-7435 > Project: ActiveMQ > Issue Type: Improvement > Components: Security/JAAS >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 5.16.0, 5.15.12 > > Time Spent: 20m > Remaining Estimate: 0h > > Update Shiro to 1.5.1 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7435) Update Shiro to 1.5.1
Colm O hEigeartaigh created AMQ-7435: Summary: Update Shiro to 1.5.1 Key: AMQ-7435 URL: https://issues.apache.org/jira/browse/AMQ-7435 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.15.13, 5.16.1 Update Shiro to 1.5.1 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7434) Enable Jolokia CORS strict-checking by default
Colm O hEigeartaigh created AMQ-7434: Summary: Enable Jolokia CORS strict-checking by default Key: AMQ-7434 URL: https://issues.apache.org/jira/browse/AMQ-7434 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.12 By default, we should enable Jolokia CORS strict-checking by default. Otherwise the web console is potentially vulnerable to a CSRF style attack, as Jolokia allows all origins by default. This change has a minor backwards compatibliity implication - a REST client must specify (some) Origin header in the request - and also calling from "localhost" in the browser won't work. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (AMQ-6818) how to set X-XSS-Protection in activemq5.14.2
[ https://issues.apache.org/jira/browse/AMQ-6818?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh resolved AMQ-6818. -- Resolution: Duplicate See https://issues.apache.org/jira/browse/AMQ-7265 > how to set X-XSS-Protection in activemq5.14.2 > - > > Key: AMQ-6818 > URL: https://issues.apache.org/jira/browse/AMQ-6818 > Project: ActiveMQ > Issue Type: Bug > Environment: Active MQ >Reporter: Geetha >Priority: Major > > Team, > Recently our security team reported Vulnerability on "X-XSS-Protection HTTP > Header missing on port 8141(activemq port) > X-Content-Type-Options HTTP Header missing on port 8141. > Content-Security-Policy HTTP Header missing on port 8141." > I see the xss-protection is fixed in activeMQ 5.3.1, but we are using > ActiveMQ 15.4.2 > Can someone us in fixing the issue. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (AMQ-7053) Update Jetty to version 9.2.26.v20180806
[ https://issues.apache.org/jira/browse/AMQ-7053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated AMQ-7053: - Fix Version/s: (was: 5.16.0) > Update Jetty to version 9.2.26.v20180806 > > > Key: AMQ-7053 > URL: https://issues.apache.org/jira/browse/AMQ-7053 > Project: ActiveMQ > Issue Type: Task >Reporter: Jamie Mark Goodyear >Priority: Major > > Jetty 9.2.25.v20180606 is picked up by owasp utility, update to > 9.2.26.v20180806 to remove issue. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (AMQ-7053) Update Jetty to version 9.2.26.v20180806
[ https://issues.apache.org/jira/browse/AMQ-7053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh resolved AMQ-7053. -- Resolution: Fixed > Update Jetty to version 9.2.26.v20180806 > > > Key: AMQ-7053 > URL: https://issues.apache.org/jira/browse/AMQ-7053 > Project: ActiveMQ > Issue Type: Task >Reporter: Jamie Mark Goodyear >Priority: Major > Fix For: 5.16.0 > > > Jetty 9.2.25.v20180606 is picked up by owasp utility, update to > 9.2.26.v20180806 to remove issue. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Closed] (AMQ-7160) Use secure repository URL
[ https://issues.apache.org/jira/browse/AMQ-7160?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh closed AMQ-7160. > Use secure repository URL > - > > Key: AMQ-7160 > URL: https://issues.apache.org/jira/browse/AMQ-7160 > Project: ActiveMQ > Issue Type: Task >Reporter: Olaf Flebbe >Priority: Major > > See github pull request 347 > Use secure uri for sprint repo -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (AMQ-7160) Use secure repository URL
[ https://issues.apache.org/jira/browse/AMQ-7160?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh resolved AMQ-7160. -- Resolution: Duplicate > Use secure repository URL > - > > Key: AMQ-7160 > URL: https://issues.apache.org/jira/browse/AMQ-7160 > Project: ActiveMQ > Issue Type: Task >Reporter: Olaf Flebbe >Priority: Major > > See github pull request 347 > Use secure uri for sprint repo -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (AMQ-7031) Upgrade to Apache Camel 2.22.0
[ https://issues.apache.org/jira/browse/AMQ-7031?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh resolved AMQ-7031. -- Fix Version/s: (was: 5.16.0) Resolution: Fixed > Upgrade to Apache Camel 2.22.0 > -- > > Key: AMQ-7031 > URL: https://issues.apache.org/jira/browse/AMQ-7031 > Project: ActiveMQ > Issue Type: Task > Components: Camel >Reporter: Claus Ibsen >Priority: Major > > Upgrade Camel -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7423) Remove synchronization from JAAS PropertiesLoader
Colm O hEigeartaigh created AMQ-7423: Summary: Remove synchronization from JAAS PropertiesLoader Key: AMQ-7423 URL: https://issues.apache.org/jira/browse/AMQ-7423 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.12 It's possible to remove the synchronized block from PropertiesLoader relying instead on ConcurrentHashMap. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7320) Upgrade to Jackson 2.9.10.2
[ https://issues.apache.org/jira/browse/AMQ-7320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17040721#comment-17040721 ] Colm O hEigeartaigh commented on AMQ-7320: -- There is another CVE coming in 2.9.10.3, but it's not out yet: https://github.com/FasterXML/jackson-databind/issues/2620 > Upgrade to Jackson 2.9.10.2 > --- > > Key: AMQ-7320 > URL: https://issues.apache.org/jira/browse/AMQ-7320 > Project: ActiveMQ > Issue Type: Task > Components: Broker, Web Console >Reporter: Jean-Baptiste Onofré >Assignee: Jean-Baptiste Onofré >Priority: Major > Fix For: 5.16.0, 5.15.12 > > Time Spent: 1h > Remaining Estimate: 0h > > In order to fix new CVE, we have to update to Jackson 2.10.0. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7278) Upgrade to Scala 2.11.11
[ https://issues.apache.org/jira/browse/AMQ-7278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17040701#comment-17040701 ] Colm O hEigeartaigh commented on AMQ-7278: -- Any chance we could revisit this and bump to .12 instead? There's a CVE for .11: scala-library-2.11.11.jar (pkg:maven/org.scala-lang/scala-library@2.11.11, cpe:2.3:a:scala-lang:scala:2.11.11:*:*:*:*:*:*:*) : CVE-2017-15288 https://nvd.nist.gov/vuln/detail/CVE-2017-15288 > Upgrade to Scala 2.11.11 > > > Key: AMQ-7278 > URL: https://issues.apache.org/jira/browse/AMQ-7278 > Project: ActiveMQ > Issue Type: Task > Components: Broker >Reporter: Jean-Baptiste Onofré >Assignee: Jean-Baptiste Onofré >Priority: Major > Fix For: 5.16.0, 5.15.12 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7413) Misc logging fixes
Colm O hEigeartaigh created AMQ-7413: Summary: Misc logging fixes Key: AMQ-7413 URL: https://issues.apache.org/jira/browse/AMQ-7413 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.12 This is a PR to track some misc trivial logging fixes. This PR was originally submitted [https://github.com/apache/activemq/pull/257] - however it no longer applies, and the upstream branch is removed. I will clean it up and submit a new PR based on this. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7412) Fix NPE in SimpleAuthenticationPlugin
Colm O hEigeartaigh created AMQ-7412: Summary: Fix NPE in SimpleAuthenticationPlugin Key: AMQ-7412 URL: https://issues.apache.org/jira/browse/AMQ-7412 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.12 There's a NPE in the SimpleAuthenticationPlugin, if no groups are specified. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7411) Avoid leaking Hadoop test dependency
Colm O hEigeartaigh created AMQ-7411: Summary: Avoid leaking Hadoop test dependency Key: AMQ-7411 URL: https://issues.apache.org/jira/browse/AMQ-7411 Project: ActiveMQ Issue Type: Improvement Components: LevelDB Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.12 In activemq-leveldb-store, it adds an ancient Hadoop dependency under "compile", even though Hadoop is only used for test purposes. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7406) ActiveMQSslConnectionFactory truststore settings don't work for the HTTPS connector
Colm O hEigeartaigh created AMQ-7406: Summary: ActiveMQSslConnectionFactory truststore settings don't work for the HTTPS connector Key: AMQ-7406 URL: https://issues.apache.org/jira/browse/AMQ-7406 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.12 The ActiveMQSslConnectionFactory truststore settings don't work for the HTTPS Connector (as opposed to working fine for the SSL Connector). This is because in HttpsClientTransport it queries SslContext.getCurrentSslContext() *after* it has already been reset to null in ActiveMQSslConnectionFactory.createTransport. In addition, we don't allow a way to turn off hostname verification for testing. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (AMQ-7393) Remove unused Selenium tests
[ https://issues.apache.org/jira/browse/AMQ-7393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated AMQ-7393: - Priority: Trivial (was: Major) > Remove unused Selenium tests > > > Key: AMQ-7393 > URL: https://issues.apache.org/jira/browse/AMQ-7393 > Project: ActiveMQ > Issue Type: Improvement >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Trivial > Fix For: 5.16.0, 5.15.12 > > > There are two Ignored Selenium tests in activemq-http that should just be > removed, as they are there since at least 2012. The Selenium dependency drags > in some jars with known CVEs so it would be good to remove it. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7393) Remove unused Selenium tests
Colm O hEigeartaigh created AMQ-7393: Summary: Remove unused Selenium tests Key: AMQ-7393 URL: https://issues.apache.org/jira/browse/AMQ-7393 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.12 There are two Ignored Selenium tests in activemq-http that should just be removed, as they are there since at least 2012. The Selenium dependency drags in some jars with known CVEs so it would be good to remove it. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (AMQ-7390) Update Jetty to 9.4.26.v20200117
[ https://issues.apache.org/jira/browse/AMQ-7390?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on AMQ-7390 started by Colm O hEigeartaigh. > Update Jetty to 9.4.26.v20200117 > > > Key: AMQ-7390 > URL: https://issues.apache.org/jira/browse/AMQ-7390 > Project: ActiveMQ > Issue Type: Improvement >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 5.16.0, 5.15.12 > > > This task is to update Jetty to 9.4.26.v20200117, to pick up a fix for > CVE-2019-17632 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7390) Update Jetty to 9.4.26.v20200117
Colm O hEigeartaigh created AMQ-7390: Summary: Update Jetty to 9.4.26.v20200117 Key: AMQ-7390 URL: https://issues.apache.org/jira/browse/AMQ-7390 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.12 This task is to update Jetty to 9.4.26.v20200117, to pick up a fix for CVE-2019-17632 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (AMQ-7142) Inserting Bouncy Castle Provider Early in Java Security Provider Chain Breaks KeyStore Loading
[ https://issues.apache.org/jira/browse/AMQ-7142?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on AMQ-7142 started by Colm O hEigeartaigh. > Inserting Bouncy Castle Provider Early in Java Security Provider Chain Breaks > KeyStore Loading > -- > > Key: AMQ-7142 > URL: https://issues.apache.org/jira/browse/AMQ-7142 > Project: ActiveMQ > Issue Type: Bug > Components: Camel >Affects Versions: 5.15.2 > Environment: OpenJDK 11 (AdoptOpenJDK). > Mac OS >Reporter: Nathan Hook >Assignee: Colm O hEigeartaigh >Priority: Blocker > Fix For: 5.16.0, 5.15.12 > > > The insertion of the Bouncy Castle Provider in the > org.apache.activemq.broker.BrokerService class is causing issues with our app > that expecting one of the default SunJCE Ciphers to be called, but a Bouncy > Castle Cipher is returned instead. > This causes our Spring Security SAML keystores to not be loaded correctly > because the Bouncy Castle Cipher thinks that the keystore was tampered with. > > I believe that the source of the problem is this line in the BrokerService > class: > Security.insertProviderAt(bouncycastle, > Integer.getInteger("org.apache.activemq.broker.BouncyCastlePosition", 2)); > Looking at the Java 11 source code there are 6 providers installed by the > java.security.Security class in the initializeStatic method: > {code:java} > private static void initializeStatic() { > props.put("security.provider.1", "sun.security.provider.Sun"); > props.put("security.provider.2", "sun.security.rsa.SunRsaSign"); > props.put("security.provider.3", "com.sun.net.ssl.internal.ssl.Provider"); > props.put("security.provider.4", "com.sun.crypto.provider.SunJCE"); > props.put("security.provider.5", "sun.security.jgss.SunProvider"); > props.put("security.provider.6", "com.sun.security.sasl.Provider"); > }{code} > > If possible it would be great if the org.apache.activemq.broker.BrokerService > class would call > addProvider instead of insertProviderAt. > > Thank you for your time. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (AMQ-7348) Update Apache Shiro to 1.4.2
[ https://issues.apache.org/jira/browse/AMQ-7348?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated AMQ-7348: - Summary: Update Apache Shiro to 1.4.2 (was: Update Apache Shiro) > Update Apache Shiro to 1.4.2 > > > Key: AMQ-7348 > URL: https://issues.apache.org/jira/browse/AMQ-7348 > Project: ActiveMQ > Issue Type: Improvement >Reporter: Colm O hEigeartaigh >Assignee: Jean-Baptiste Onofré >Priority: Major > Fix For: 5.16.0, 5.15.12 > > Time Spent: 20m > Remaining Estimate: 0h > > We need to update Apache Shiro to pick up the fix for a newly released CVE. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (AMQ-7231) XSS in webconsole
[ https://issues.apache.org/jira/browse/AMQ-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on AMQ-7231 started by Colm O hEigeartaigh. > XSS in webconsole > - > > Key: AMQ-7231 > URL: https://issues.apache.org/jira/browse/AMQ-7231 > Project: ActiveMQ > Issue Type: Bug > Components: Web Console >Affects Versions: 5.15.6 >Reporter: Torbjørn Skyberg Knutsen >Assignee: Colm O hEigeartaigh >Priority: Critical > Fix For: 5.16.0, 5.15.12 > > > The admin GUI is very much open to XSS, in the view that lists the contents > of a queue. > Using Camel, here is the code required to make the GUI run JavaScript-code: > {code:java} > messageQueue.sendBodyAndHeader("activemq:hack", "body", "hack", > "hello}\">alert('XSS :(');"); > {code} > This also happens when you have a header containing xml, where an element > holds an attribute: > {code:java} > messageQueue.sendBodyAndHeader("activemq:hack", "body", "hack", " something=\"something\">hello>alert('XSS :(');"); > {code} > Seems to be due to how the title of the message is generated. This last one > also messes up the way a message is displayed in the list, since it will > start displaying the xml content after the attribute as HTML. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (AMQ-7231) XSS in webconsole
[ https://issues.apache.org/jira/browse/AMQ-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh reassigned AMQ-7231: Assignee: Colm O hEigeartaigh > XSS in webconsole > - > > Key: AMQ-7231 > URL: https://issues.apache.org/jira/browse/AMQ-7231 > Project: ActiveMQ > Issue Type: Bug > Components: Web Console >Affects Versions: 5.15.6 >Reporter: Torbjørn Skyberg Knutsen >Assignee: Colm O hEigeartaigh >Priority: Critical > > The admin GUI is very much open to XSS, in the view that lists the contents > of a queue. > Using Camel, here is the code required to make the GUI run JavaScript-code: > {code:java} > messageQueue.sendBodyAndHeader("activemq:hack", "body", "hack", > "hello}\">alert('XSS :(');"); > {code} > This also happens when you have a header containing xml, where an element > holds an attribute: > {code:java} > messageQueue.sendBodyAndHeader("activemq:hack", "body", "hack", " something=\"something\">hello>alert('XSS :(');"); > {code} > Seems to be due to how the title of the message is generated. This last one > also messes up the way a message is displayed in the list, since it will > start displaying the xml content after the attribute as HTML. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (AMQ-7231) XSS in webconsole
[ https://issues.apache.org/jira/browse/AMQ-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated AMQ-7231: - Fix Version/s: 5.15.12 5.16.0 > XSS in webconsole > - > > Key: AMQ-7231 > URL: https://issues.apache.org/jira/browse/AMQ-7231 > Project: ActiveMQ > Issue Type: Bug > Components: Web Console >Affects Versions: 5.15.6 >Reporter: Torbjørn Skyberg Knutsen >Assignee: Colm O hEigeartaigh >Priority: Critical > Fix For: 5.16.0, 5.15.12 > > > The admin GUI is very much open to XSS, in the view that lists the contents > of a queue. > Using Camel, here is the code required to make the GUI run JavaScript-code: > {code:java} > messageQueue.sendBodyAndHeader("activemq:hack", "body", "hack", > "hello}\">alert('XSS :(');"); > {code} > This also happens when you have a header containing xml, where an element > holds an attribute: > {code:java} > messageQueue.sendBodyAndHeader("activemq:hack", "body", "hack", " something=\"something\">hello>alert('XSS :(');"); > {code} > Seems to be due to how the title of the message is generated. This last one > also messes up the way a message is displayed in the list, since it will > start displaying the xml content after the attribute as HTML. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (AMQ-7142) Inserting Bouncy Castle Provider Early in Java Security Provider Chain Breaks KeyStore Loading
[ https://issues.apache.org/jira/browse/AMQ-7142?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh reassigned AMQ-7142: Assignee: Colm O hEigeartaigh > Inserting Bouncy Castle Provider Early in Java Security Provider Chain Breaks > KeyStore Loading > -- > > Key: AMQ-7142 > URL: https://issues.apache.org/jira/browse/AMQ-7142 > Project: ActiveMQ > Issue Type: Bug > Components: Camel >Affects Versions: 5.15.2 > Environment: OpenJDK 11 (AdoptOpenJDK). > Mac OS >Reporter: Nathan Hook >Assignee: Colm O hEigeartaigh >Priority: Blocker > > The insertion of the Bouncy Castle Provider in the > org.apache.activemq.broker.BrokerService class is causing issues with our app > that expecting one of the default SunJCE Ciphers to be called, but a Bouncy > Castle Cipher is returned instead. > This causes our Spring Security SAML keystores to not be loaded correctly > because the Bouncy Castle Cipher thinks that the keystore was tampered with. > > I believe that the source of the problem is this line in the BrokerService > class: > Security.insertProviderAt(bouncycastle, > Integer.getInteger("org.apache.activemq.broker.BouncyCastlePosition", 2)); > Looking at the Java 11 source code there are 6 providers installed by the > java.security.Security class in the initializeStatic method: > {code:java} > private static void initializeStatic() { > props.put("security.provider.1", "sun.security.provider.Sun"); > props.put("security.provider.2", "sun.security.rsa.SunRsaSign"); > props.put("security.provider.3", "com.sun.net.ssl.internal.ssl.Provider"); > props.put("security.provider.4", "com.sun.crypto.provider.SunJCE"); > props.put("security.provider.5", "sun.security.jgss.SunProvider"); > props.put("security.provider.6", "com.sun.security.sasl.Provider"); > }{code} > > If possible it would be great if the org.apache.activemq.broker.BrokerService > class would call > addProvider instead of insertProviderAt. > > Thank you for your time. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (AMQ-7142) Inserting Bouncy Castle Provider Early in Java Security Provider Chain Breaks KeyStore Loading
[ https://issues.apache.org/jira/browse/AMQ-7142?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated AMQ-7142: - Fix Version/s: 5.15.12 5.16.0 > Inserting Bouncy Castle Provider Early in Java Security Provider Chain Breaks > KeyStore Loading > -- > > Key: AMQ-7142 > URL: https://issues.apache.org/jira/browse/AMQ-7142 > Project: ActiveMQ > Issue Type: Bug > Components: Camel >Affects Versions: 5.15.2 > Environment: OpenJDK 11 (AdoptOpenJDK). > Mac OS >Reporter: Nathan Hook >Assignee: Colm O hEigeartaigh >Priority: Blocker > Fix For: 5.16.0, 5.15.12 > > > The insertion of the Bouncy Castle Provider in the > org.apache.activemq.broker.BrokerService class is causing issues with our app > that expecting one of the default SunJCE Ciphers to be called, but a Bouncy > Castle Cipher is returned instead. > This causes our Spring Security SAML keystores to not be loaded correctly > because the Bouncy Castle Cipher thinks that the keystore was tampered with. > > I believe that the source of the problem is this line in the BrokerService > class: > Security.insertProviderAt(bouncycastle, > Integer.getInteger("org.apache.activemq.broker.BouncyCastlePosition", 2)); > Looking at the Java 11 source code there are 6 providers installed by the > java.security.Security class in the initializeStatic method: > {code:java} > private static void initializeStatic() { > props.put("security.provider.1", "sun.security.provider.Sun"); > props.put("security.provider.2", "sun.security.rsa.SunRsaSign"); > props.put("security.provider.3", "com.sun.net.ssl.internal.ssl.Provider"); > props.put("security.provider.4", "com.sun.crypto.provider.SunJCE"); > props.put("security.provider.5", "sun.security.jgss.SunProvider"); > props.put("security.provider.6", "com.sun.security.sasl.Provider"); > }{code} > > If possible it would be great if the org.apache.activemq.broker.BrokerService > class would call > addProvider instead of insertProviderAt. > > Thank you for your time. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7142) Inserting Bouncy Castle Provider Early in Java Security Provider Chain Breaks KeyStore Loading
[ https://issues.apache.org/jira/browse/AMQ-7142?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17020221#comment-17020221 ] Colm O hEigeartaigh commented on AMQ-7142: -- [~victorbucutea] - I'll fix this. A workaround is to already install the BouncyCastleProvider at a different position before the AMQ code is called. > Inserting Bouncy Castle Provider Early in Java Security Provider Chain Breaks > KeyStore Loading > -- > > Key: AMQ-7142 > URL: https://issues.apache.org/jira/browse/AMQ-7142 > Project: ActiveMQ > Issue Type: Bug > Components: Camel >Affects Versions: 5.15.2 > Environment: OpenJDK 11 (AdoptOpenJDK). > Mac OS >Reporter: Nathan Hook >Priority: Blocker > > The insertion of the Bouncy Castle Provider in the > org.apache.activemq.broker.BrokerService class is causing issues with our app > that expecting one of the default SunJCE Ciphers to be called, but a Bouncy > Castle Cipher is returned instead. > This causes our Spring Security SAML keystores to not be loaded correctly > because the Bouncy Castle Cipher thinks that the keystore was tampered with. > > I believe that the source of the problem is this line in the BrokerService > class: > Security.insertProviderAt(bouncycastle, > Integer.getInteger("org.apache.activemq.broker.BouncyCastlePosition", 2)); > Looking at the Java 11 source code there are 6 providers installed by the > java.security.Security class in the initializeStatic method: > {code:java} > private static void initializeStatic() { > props.put("security.provider.1", "sun.security.provider.Sun"); > props.put("security.provider.2", "sun.security.rsa.SunRsaSign"); > props.put("security.provider.3", "com.sun.net.ssl.internal.ssl.Provider"); > props.put("security.provider.4", "com.sun.crypto.provider.SunJCE"); > props.put("security.provider.5", "sun.security.jgss.SunProvider"); > props.put("security.provider.6", "com.sun.security.sasl.Provider"); > }{code} > > If possible it would be great if the org.apache.activemq.broker.BrokerService > class would call > addProvider instead of insertProviderAt. > > Thank you for your time. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7376) Use correct type for collections retrieval
Colm O hEigeartaigh created AMQ-7376: Summary: Use correct type for collections retrieval Key: AMQ-7376 URL: https://issues.apache.org/jira/browse/AMQ-7376 Project: ActiveMQ Issue Type: Bug Reporter: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.12 There are a few instances where we are using the wrong (object) type with collections: * Queue - browserDispatches.remove(sub) will always fail as the list holds different objects * KahaDbStore - storeCache.get(convert(activeMQDestination)) will always fail as the destination needs to be converted to a key first * MQTTProtocolConverter - activeMQDestinationMap.get(command.topicName()) - should be using toString() here instead. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (AMQ-7375) Update Spring
Colm O hEigeartaigh created AMQ-7375: Summary: Update Spring Key: AMQ-7375 URL: https://issues.apache.org/jira/browse/AMQ-7375 Project: ActiveMQ Issue Type: Improvement Reporter: Colm O hEigeartaigh Fix For: 5.16.0, 5.15.12 This task is to update to the recently release Spring 4.3.26. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (AMQ-7320) Upgrade to Jackson 2.10.1
[ https://issues.apache.org/jira/browse/AMQ-7320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17018161#comment-17018161 ] Colm O hEigeartaigh edited comment on AMQ-7320 at 1/17/20 4:19 PM: --- [~jbonofre] Until 2.10.x is working, can we upgrade master + 5.15.x branch to use Jackson databind 2.9.10.2? This fixes CVE-2019-20330. I've checked that everything works fine with this version. was (Author: coheigea): [~jbonofre] Until 2.10.x is working, can we upgrade master + 5.15.x branch to use Jackson databind 2.9.10.2? This fixes CVE-2019-20330. > Upgrade to Jackson 2.10.1 > - > > Key: AMQ-7320 > URL: https://issues.apache.org/jira/browse/AMQ-7320 > Project: ActiveMQ > Issue Type: Task > Components: Broker, Web Console >Reporter: Jean-Baptiste Onofré >Assignee: Jean-Baptiste Onofré >Priority: Major > Fix For: 5.16.0, 5.15.12 > > Time Spent: 20m > Remaining Estimate: 0h > > In order to fix new CVE, we have to update to Jackson 2.10.0. -- This message was sent by Atlassian Jira (v8.3.4#803005)