
====================================================================

                                CERT-Renater

                     Note d'Information No. 2016/VULN115
_____________________________________________________________________

DATE                : 15/03/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache ActiveMQ versions 5 prior
                              to 5.11.4, 5.12.3, 5.13.2.

======================================================================
http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt
http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt
_____________________________________________________________________

CVE-2016-0782: ActiveMQ Web Console - Cross-Site Scripting

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

Apache ActiveMQ 5.0.0 - 5.13.1

Description:

Several instances of cross-site scripting vulnerabilities were
identified to be present in the web based administration console as
well as the ability to trigger a Java memory dump into an arbitrary
folder. The root cause of these issues are improper user data output
validation and incorrect permissions configured on Jolokia.

Mitigation:

Upgrade to Apache ActiveMQ 5.11.4, 5.12.3, or 5.13.2

Credit:

This issue was discovered by Vladimir Ivanov (Positive Technologies)

_____________________________________________________________________

CVE-2016-0734: ActiveMQ Web Console - Clickjacking

Severity: Important

Vendor:

The Apache Software Foundation

Versions Affected:

Apache ActiveMQ 5.0.0 - 5.13.1

Description:

The web based administration console does not set the X-Frame-Options
header in HTTP responses. This allows the console to be embedded in a
frame or iframe which could then be used to cause a user to perform an
unintended action in the console.

Mitigation:

Upgrade to Apache ActiveMQ 5.13.2

Credit:

This issue was discovered by Michael Furman

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================