Multiple vulnerabilities in Red Hat AMQ Broker



Published: 2021-09-30 | Updated: 2021-11-03
Risk Medium
Patch available YES
Number of vulnerabilities 15
CVE-ID CVE-2021-28164
CVE-2021-34429
CVE-2021-21290
CVE-2021-28169
CVE-2020-13956
CVE-2021-21295
CVE-2021-21409
CVE-2021-34428
CVE-2021-20289
CVE-2021-28163
CVE-2020-27223
CVE-2021-3425
CVE-2021-28165
CVE-2021-29425
CVE-2021-3763
CWE-ID CWE-20
CWE-284
CWE-312
CWE-444
CWE-613
CWE-200
CWE-532
CWE-400
CWE-22
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #11 is available.
Vulnerable software
Subscribe
AMQ Broker
Server applications / Application servers

Vendor Red Hat Inc.

Security Bulletin

This security bulletin contains information about 15 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU51877

Risk: Medium

CVSSv3.1: 7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C]

CVE-ID: CVE-2021-28164

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain access to sensitive informatoin.

The vulnerability exists due to insufficient validation of user-supplied input when processing special characters, passed via URI. A remote attacker can use %2e or %2e%2e segments to access protected resources within the WEB-INF directory.

Example:

http://[host]/context/%2e/WEB-INF/web.xml

Mitigation

Install updates from vendor's website.

Vulnerable software versions

AMQ Broker: 7.8, 7.8.1, 7.8.2

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2021:3700

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

2) Improper access control

EUVDB-ID: #VU56964

Risk: Medium

CVSSv3.1: 7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C]

CVE-ID: CVE-2021-34429

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper input validation when processing certain characters in URI. A remote attacker can send a specially crafted HTTP request with encoded characters in URI, bypass implemented security restrictions and access content of the WEB-INF directory.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

AMQ Broker: 7.8, 7.8.1, 7.8.2

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2021:3700

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

3) Cleartext storage of sensitive information

EUVDB-ID: #VU51835

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21290

CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to insecure usage of temporary files in AbstractDiskHttpData method in Netty. The application stores sensitive information in temporary file that has insecure permissions. A local user can view application's temporary file and gain access to potentially sensitive data.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

AMQ Broker: 7.8, 7.8.1, 7.8.2

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2021:3700

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Input validation error

EUVDB-ID: #VU53973

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-28169

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information..

The vulnerability exists due to a double decoding issue when parsing URI with certain characters. A remote attacker can send requests to the ConcatServlet and WelcomeFilter and view contents of protected resources within the WEB-INF directory.

Example:

/concat?/%2557EB-INF/web.xml

Mitigation

Install updates from vendor's website.

Vulnerable software versions

AMQ Broker: 7.8, 7.8.1, 7.8.2

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2021:3700

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Input validation error

EUVDB-ID: #VU47481

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-13956

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to insufficient validation of user-supplied input in Apache HttpClient. A remote attacker can pass request URIs to the library as java.net.URI object and force the application to pick the wrong target host for request execution.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

AMQ Broker: 7.8, 7.8.1, 7.8.2

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2021:3700

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU51836

Risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21295

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests in io.netty:netty-codec-http2 when converting HTTP/2 to HTTP/1 streams. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

AMQ Broker: 7.8, 7.8.1, 7.8.2

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2021:3700

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU51837

Risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21409

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests in io.netty:netty-codec-http2 in Netty, if the request only uses a single Http2HeaderFrame with the endStream set to to true. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

AMQ Broker: 7.8, 7.8.1, 7.8.2

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2021:3700

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Insufficient Session Expiration

EUVDB-ID: #VU55642

Risk: Low

CVSSv3.1: 3.1 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-34428

CWE-ID: CWE-613 - Insufficient Session Expiration

Exploit availability: No

Description

The vulnerability allows an attacker to gain access to sensitive information.

The vulnerability exists due to insufficient session expiration issue. If an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

AMQ Broker: 7.8, 7.8.1, 7.8.2

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2021:3700

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Information disclosure

EUVDB-ID: #VU56965

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20289

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. A remote attacker can obtain endpoint class and method names.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

AMQ Broker: 7.8, 7.8.1, 7.8.2

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2021:3700

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Information disclosure

EUVDB-ID: #VU51878

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-28163

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink, the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

AMQ Broker: 7.8, 7.8.1, 7.8.2

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2021:3700

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Improper input validation

EUVDB-ID: #VU52385

Risk: Medium

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-27223

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: Yes

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the General (Eclipse Jetty) component in Oracle REST Data Services. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

AMQ Broker: 7.8, 7.8.1, 7.8.2

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2021:3700

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

12) Inclusion of Sensitive Information in Log Files

EUVDB-ID: #VU54676

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3425

CWE-ID: CWE-532 - Information Exposure Through Log Files

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the AMQ Broker discloses JDBC encrypted usernames and passwords when provided in the AMQ Broker application logfile, if jdbc persistence functionality is used. A local user can read the log files and gain access to sensitive data.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

AMQ Broker: 7.8, 7.8.1, 7.8.2

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2021:3700

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Resource exhaustion

EUVDB-ID: #VU51876

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-28165

CWE-ID: CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing large TLS frames. A remote attacker can send specially crafted data to the server, trigger CPU high load and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

AMQ Broker: 7.8, 7.8.1, 7.8.2

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2021:3700

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Path traversal

EUVDB-ID: #VU52252

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-29425

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error within the FileNameUtils.normalize method when processing directory traversal sequences, such as "//../foo", or "\..foo". A remote attacker can send a specially crafted request and verify files availability in the parent folder.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

AMQ Broker: 7.8, 7.8.1, 7.8.2

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2021:3700

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Improper access control

EUVDB-ID: #VU56966

Risk: Low

CVSSv3.1: 2.4 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3763

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions for users without a role set. A remote privileged user can bypass implemented security restrictions and gain unauthorized access to the in the management console.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

AMQ Broker: 7.8, 7.8.1, 7.8.2

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2021:3700

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###