JAVA安全网2017年的第二个cve
问题原因:
Apache ActiveMQ默认消息队列61616端口对外,61616端口使用了OpenWire协议,这个端口会暴露服务器相关信息,这些相关信息实际上是debug信息。
会返回应用名称,JVM,操作系统以及内核版本等信息。
影响版本:
apache-activemq-5.15.0 to apache-activemq-5.15.2
apache-activemq-5.14.0 to apache-activemq-5.14.5
漏洞修复:
测试用例:
修复前:
@Test
- public void testClientProperties() throws Exception{
- BrokerService service = createBrokerService();
- try {
- ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(new URI(brokerUri));
- ActiveMQConnection conn = (ActiveMQConnection)factory.createConnection();
- final AtomicReference<WireFormatInfo> clientWf = new AtomicReference<WireFormatInfo>();
- conn.addTransportListener(new DefaultTransportListener() {
- @Override
- public void onCommand(Object command) {
- if (command instanceof WireFormatInfo) {
- clientWf.set((WireFormatInfo)command);
- }
- }
- });
- conn.start();
- if (clientWf.get() == null) {
- fail("Wire format info is null");
- }
- assertTrue(clientWf.get().getProperties().containsKey("ProviderName"));
- assertTrue(clientWf.get().getProperties().containsKey("ProviderVersion"));
- assertTrue(clientWf.get().getProperties().containsKey("PlatformDetails"));
- assertTrue(clientWf.get().getProviderName().equals(ActiveMQConnectionMetaData.PROVIDER_NAME));
- assertTrue(clientWf.get().getPlatformDetails().equals(ActiveMQConnectionMetaData.PLATFORM_DETAILS));
- } finally {
- stopBroker(service);
修复后:
+ public void testClientPropertiesWithDefaultPlatformDetails() throws Exception{
+ WireFormatInfo clientWf = testClientProperties(brokerUri);
+ assertTrue(clientWf.getPlatformDetails().equals(ActiveMQConnectionMetaData.DEFAULT_PLATFORM_DETAILS));
+ }
+
+ @Test
+ public void testClientPropertiesWithPlatformDetails() throws Exception{
+ WireFormatInfo clientWf = testClientProperties(brokerUri + "?wireFormat.includePlatformDetails=true");
+ assertTrue(clientWf.getPlatformDetails().equals(ActiveMQConnectionMetaData.PLATFORM_DETAILS));
+ }
+
+ private WireFormatInfo testClientProperties(String brokerUri) throws Exception {
+ ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(new URI(brokerUri));
+ ActiveMQConnection conn = (ActiveMQConnection)factory.createConnection();
+ conn.start();
+
+ assertTrue(connector.getConnections().size() == 1);
+ final WireFormatInfo clientWf = connector.getConnections().get(0).getRemoteWireFormatInfo();
+ if (clientWf == null) {
+ fail("Wire format info is null");
}
+
+ //verify properties that the client sends to the broker
+ assertTrue(clientWf.getProperties().containsKey("ProviderName"));
+ assertTrue(clientWf.getProperties().containsKey("ProviderVersion"));
+ assertTrue(clientWf.getProperties().containsKey("PlatformDetails"));
+ assertTrue(clientWf.getProviderName().equals(ActiveMQConnectionMetaData.PROVIDER_NAME));
+
+ return clientWf;
}
修复版本:
Apache Active MQ 5.14.6
Apache Active MQ 5.15.3
Apache Active MQ 5.16.0
官方公布的草案:
CVE-2017-15709 - Information Leak
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Apache ActiveMQ 5.14.0 - 5.15.2
Description:
When using the OpenWire protocol it was found that certain system details (such as the OS and kernel version) are exposed as plain text.
Mitigation:
Use a TLS enabled transport or upgrade to Apache ActiveMQ 5.14.6 or 5.15.3.
Credit:
This issue was discovered by QingTeng cloud Security of Minded Security Researcher jianan.huang
参考信息:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15709
https://issues.apache.org/jira/browse/AMQ-6871
http://activemq.apache.org/security-advisories.html
http://activemq.apache.org/security-advisories.data/CVE-2017-15709-announcement.txt