First published: Wed Mar 05 2014(Updated: )
Apache ActiveMQ provides a SOA infrastructure to connect processes across<br>heterogeneous systems.<br>A flaw was found in Apache Camel's parsing of the FILE_NAME header.<br>A remote attacker able to submit messages to a Camel route, which would<br>write the provided message to a file, could provide expression language<br>(EL) expressions in the FILE_NAME header, which would be evaluated on the<br>server. This could lead to arbitrary remote code execution in the context<br>of the Camel server process. (CVE-2013-4330)<br>It was found that the Apache Camel XSLT component allowed XSL stylesheets<br>to call external Java methods. A remote attacker able to submit messages to<br>a Camel route could use this flaw to perform arbitrary remote code<br>execution in the context of the Camel server process. (CVE-2014-0003)<br>It was discovered that the Spring OXM wrapper did not expose any property<br>for disabling entity resolution when using the JAXB unmarshaller. A remote<br>attacker could use this flaw to conduct XML External Entity (XXE) attacks<br>on web sites, and read files in the context of the user running the<br>application server. The patch for this flaw disables external entity<br>processing by default, and provides a configuration directive to re-enable<br>it. (CVE-2013-4152)<br>The HawtJNI Library class wrote native libraries to a predictable file name<br>in /tmp/ when the native libraries were bundled in a JAR file, and no<br>custom library path was specified. A local attacker could overwrite these<br>native libraries with malicious versions during the window between when<br>HawtJNI writes them and when they are executed. (CVE-2013-2035)<br>The CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat<br>Product Security Team, and the CVE-2014-0003 issue was discovered by David<br>Jorm of the Red Hat Security Response Team.<br>All users of Red Hat OpenShift Enterprise 1.2.7 are advised to upgrade to<br>this updated package, which corrects these issues.<br>
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/activemq | <5.9.0-4.redhat.610328.el6 | 5.9.0-4.redhat.610328.el6 |
redhat/activemq-client | <5.9.0-4.redhat.610328.el6 | 5.9.0-4.redhat.610328.el6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.