Issued:: 2013-07-09
Updated:: 2013-07-09

RHSA-2013:1029 - Important: Fuse MQ Enterprise 7.1.0 update

Synopsis

Important: Fuse MQ Enterprise 7.1.0 update

Type/Severity

Security Advisory Important

Topic

Fuse MQ Enterprise 7.1.0 roll up patch 1, which fixes multiple security issues and various bugs, is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Description

Fuse MQ Enterprise, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.

This release of Fuse MQ Enterprise 7.1.0 roll up patch 1 is an update to Fuse MQ Enterprise 7.1.0 and includes bug fixes. Refer to the readme file included with the patch files for information about the bug fixes.

The following security issues are also fixed with this release:

It was found that, by default, the Apache ActiveMQ web console did not require authentication. A remote attacker could use this flaw to modify the state of the Apache ActiveMQ environment, obtain sensitive information, or cause a denial of service. (CVE-2013-3060)

Multiple cross-site scripting (XSS) flaws were found in the Apache ActiveMQ demo web applications. A remote attacker could use these flaws to inject arbitrary web script or HTML on pages displayed by the demo web applications. (CVE-2012-6092)

It was found that a sample Apache ActiveMQ application was deployed by default. A remote attacker could use this flaw to send the sample application requests, allowing them to consume all available broker resources. (CVE-2012-6551)

A stored cross-site scripting (XSS) flaw was found in the way Apache ActiveMQ handled cron jobs. A remote attacker could use this flaw to perform an XSS attack against users viewing the scheduled.jsp page. (CVE-2013-1879)

A reflected cross-site scripting (XSS) flaw was found in the portfolioPublish servlet of the Apache ActiveMQ demo web applications. A remote attacker could use this flaw to inject arbitrary web script or HTML. (CVE-2013-1880)

Note: All of the above flaws only affected the distribution of Apache ActiveMQ included in the extras directory of the Fuse MQ Enterprise distribution. The Fuse MQ Enterprise product itself was not affected by any of the above flaws.

The HawtJNI Library class wrote native libraries to a predictable file name in /tmp/ when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed. (CVE-2013-2035)

The CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat Product Security Team.

All users of Fuse MQ Enterprise 7.1.0 as provided from the Red Hat Customer Portal are advised to upgrade to Fuse MQ Enterprise 7.1.0 roll up patch 1.

Solution

The References section of this erratum contains a download link (you must log in to download the update).

Affected Products

Product	Version	Arch
Red Hat Fuse	1	x86_64

Fixes

CVEs

References

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.