- Vulnerability/
- RHSA-2014:0245
RHSA-2014:0245: Important: activemq security update
First published: Mon Mar 03 2014(Updated: )
Apache ActiveMQ provides a SOA infrastructure to connect processes across<br>heterogeneous systems.<br>A flaw was found in Apache Camel's parsing of the FILE_NAME header.<br>A remote attacker able to submit messages to a Camel route, which would<br>write the provided message to a file, could provide expression language<br>(EL) expressions in the FILE_NAME header, which would be evaluated on the<br>server. This could lead to arbitrary remote code execution in the context<br>of the Camel server process. (CVE-2013-4330)<br>It was found that the Apache Camel XSLT component allowed XSL stylesheets<br>to call external Java methods. A remote attacker able to submit messages to<br>a Camel route could use this flaw to perform arbitrary remote code<br>execution in the context of the Camel server process. (CVE-2014-0003)<br>It was discovered that the Spring OXM wrapper did not expose any property<br>for disabling entity resolution when using the JAXB unmarshaller. A remote<br>attacker could use this flaw to conduct XML External Entity (XXE) attacks<br>on web sites, and read files in the context of the user running the<br>application server. The patch for this flaw disables external entity<br>processing by default, and provides a configuration directive to re-enable<br>it. (CVE-2013-4152)<br>The HawtJNI Library class wrote native libraries to a predictable file name<br>in /tmp/ when the native libraries were bundled in a JAR file, and no<br>custom library path was specified. A local attacker could overwrite these<br>native libraries with malicious versions during the window between when<br>HawtJNI writes them and when they are executed. (CVE-2013-2035)<br>The CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat<br>Product Security Team, and the CVE-2014-0003 issue was discovered by David<br>Jorm of the Red Hat Security Response Team.<br>All users of Red Hat OpenShift Enterprise 2.0 are advised to upgrade to<br>this updated package, which corrects these issues.<br>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/activemq | <5.9.0-4.redhat.610328.el6 | 5.9.0-4.redhat.610328.el6 |
| redhat/activemq-client | <5.9.0-4.redhat.610328.el6 | 5.9.0-4.redhat.610328.el6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=958618
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1000186
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1011726
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1049692
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/errata/RHSA-2014:0245 (Advisory)
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- collector/redhat-errata
- anchor-id/RHSA-2014:0245
- package-manager/redhat