Vulnerabilities > CVE-2016-0734 - 7PK - Security Features vulnerability in Apache Activemq
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_950B2D60F2A911E5B4A9AC220BDCEC59.NASL description Michael Furman reports : The web-based administration console does not set the X-Frame-Options header in HTTP responses. This allows the console to be embedded in a frame or iframe which could then be used to cause a user to perform an unintended action in the console. last seen 2020-06-01 modified 2020-06-02 plugin id 90234 published 2016-03-28 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90234 title FreeBSD : activemq -- Web Console Clickjacking (950b2d60-f2a9-11e5-b4a9-ac220bdcec59) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(90234); script_version("2.8"); script_cvs_date("Date: 2018/11/10 11:49:45"); script_cve_id("CVE-2016-0734"); script_name(english:"FreeBSD : activemq -- Web Console Clickjacking (950b2d60-f2a9-11e5-b4a9-ac220bdcec59)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Michael Furman reports : The web-based administration console does not set the X-Frame-Options header in HTTP responses. This allows the console to be embedded in a frame or iframe which could then be used to cause a user to perform an unintended action in the console." ); # http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d7cdf2a0" ); # https://vuxml.freebsd.org/freebsd/950b2d60-f2a9-11e5-b4a9-ac220bdcec59.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d971f239" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:activemq"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/10"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"activemq<5.13.2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family CGI abuses NASL id ACTIVEMQ_5_13_2.NASL description The version of Apache ActiveMQ running on the remote host is 5.x prior to 5.13.2. It is, therefore, affected by multiple vulnerabilities : - A clickjacking vulnerability exists in the web-based administration console due to not setting the X-Frame-Options header in HTTP responses. A remote attacker can exploit this to trick a user into executing administrative tasks. (CVE-2016-0734) - Multiple cross-site scripting vulnerabilities exists in the web-based administration console to improper validation of user-supplied input. A remote attacker can exploit these, via a specially crafted request, to execute arbitrary script code in a user last seen 2020-06-01 modified 2020-06-02 plugin id 90025 published 2016-03-18 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90025 title Apache ActiveMQ 5.x < 5.13.2 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(90025); script_version("1.9"); script_cvs_date("Date: 2019/11/20"); script_cve_id("CVE-2016-0734", "CVE-2016-0782"); script_bugtraq_id(84316, 84321); script_name(english:"Apache ActiveMQ 5.x < 5.13.2 Multiple Vulnerabilities"); script_summary(english:"Checks the version of ActiveMQ."); script_set_attribute(attribute:"synopsis", value: "The remote host is running a web application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Apache ActiveMQ running on the remote host is 5.x prior to 5.13.2. It is, therefore, affected by multiple vulnerabilities : - A clickjacking vulnerability exists in the web-based administration console due to not setting the X-Frame-Options header in HTTP responses. A remote attacker can exploit this to trick a user into executing administrative tasks. (CVE-2016-0734) - Multiple cross-site scripting vulnerabilities exists in the web-based administration console to improper validation of user-supplied input. A remote attacker can exploit these, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-0782) Note that CVE-2016-0734 was partially fixed in 5.11.4 and 5.12.3 by setting the X-Frame-Options header for Servlets and JSPs but not static content. Therefore, the fix for these versions is incomplete, and it is recommended that users upgrade to 5.13.2 or later."); # http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d7cdf2a0"); script_set_attribute(attribute:"see_also", value:"https://issues.apache.org/jira/browse/AMQ-6170"); script_set_attribute(attribute:"see_also", value:"https://issues.apache.org/jira/browse/AMQ-6113"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache ActiveMQ version 5.13.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-0734"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/10"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/18"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:activemq"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("activemq_web_console_detect.nasl"); script_require_keys("installed_sw/ActiveMQ", "Settings/ParanoidReport"); script_require_ports("Services/www", 8161); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = 'ActiveMQ'; get_install_count(app_name:app, exit_if_zero:TRUE); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_http_port(default:8161); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : TRUE ); dir = install['path']; version = install['version']; install_url = build_url(port:port, qs:dir); fix = '5.13.2'; vuln = FALSE; if (version =~ "^5\.13\." && ver_compare(ver:version, fix:"5.13.2", strict:FALSE) == -1) vuln = TRUE; else if (version =~ "^5\.12\." && ver_compare(ver:version, fix:"5.12.3", strict:FALSE) <= 0) vuln = TRUE; else if (version =~ "^5\.11\." && ver_compare(ver:version, fix:"5.11.4", strict:FALSE) <= 0) vuln = TRUE; else if (version =~ "^5\.([0-9]|10)(\.|$)") vuln = TRUE; if (!vuln) audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version); report = '\n URL : ' + install_url + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_report_v4(extra:report, port:port, severity:SECURITY_WARNING, xsrf:TRUE);
NASL family CGI abuses NASL id ACTIVEMQ_X_FRAME_OPTIONS.NASL description The version of Apache ActiveMQ running on the remote host is affected by a clickjacking vulnerability in the web-based administration console due to not setting the X-Frame-Options header in HTTP responses. A remote attacker can exploit this to trick a user into executing administrative tasks. Note that this vulnerability was partially fixed in 5.11.4 and 5.12.3 by setting the X-Frame-Options header for Servlets and JSPs but not static content. Therefore, the fix for these versions is incomplete, and it is recommended that users upgrade to 5.13.2 or later. last seen 2020-06-01 modified 2020-06-02 plugin id 90026 published 2016-03-18 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90026 title Apache ActiveMQ Web Console Missing X-Frame-Options Clickjacking code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(90026); script_version("1.8"); script_cvs_date("Date: 2019/11/20"); script_cve_id("CVE-2016-0734"); script_name(english:"Apache ActiveMQ Web Console Missing X-Frame-Options Clickjacking"); script_summary(english:"Checks if X-Frame-Options response header is set for ActiveMQ."); script_set_attribute(attribute:"synopsis", value: "The remote host is running a web application that is affected by a clickjacking vulnerability."); script_set_attribute(attribute:"description", value: "The version of Apache ActiveMQ running on the remote host is affected by a clickjacking vulnerability in the web-based administration console due to not setting the X-Frame-Options header in HTTP responses. A remote attacker can exploit this to trick a user into executing administrative tasks. Note that this vulnerability was partially fixed in 5.11.4 and 5.12.3 by setting the X-Frame-Options header for Servlets and JSPs but not static content. Therefore, the fix for these versions is incomplete, and it is recommended that users upgrade to 5.13.2 or later."); # http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d7cdf2a0"); script_set_attribute(attribute:"see_also", value:"https://issues.apache.org/jira/browse/AMQ-6170"); script_set_attribute(attribute:"see_also", value:"https://issues.apache.org/jira/browse/AMQ-6113"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache ActiveMQ version 5.13.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-0734"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/10"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/18"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:activemq"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("activemq_web_console_detect.nasl"); script_require_keys("installed_sw/ActiveMQ"); script_require_ports("Services/www", 8161); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = 'ActiveMQ'; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:8161); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : FALSE ); dir = install['path']; install_url = build_url(port:port, qs:dir); headers = NULL; # Look at cache first res = http_get_cache(port:port, item:"/"); if (!empty_or_null(res)) { res = split(res, sep:'\r\n\r\n\r\n', keep:FALSE); headers = res[0]; } else { res = http_send_recv3( method : "GET", item : "/", port : port, exit_on_fail : TRUE ); headers = res[1]; } pat = "^X-Frame-Options: (DENY|SAMEORIGIN|ALLOW-FROM)"; if (egrep(pattern:pat, string:headers, icase:TRUE)) audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url); fix = '5.13.2'; report = NULL; if (report_verbosity > 0) { report = '\n' + 'Nessus was able to verify the issue exists by requesting the following '+ '\n' + 'URL and examining the response header :' + '\n' + '\n' + install_url + '\n'; if (report_verbosity > 1) { report += '\n' + 'The remote ActiveMQ server produced the following response header :' + '\n' + '\n' + chomp(headers) + '\n'; } } security_report_v4(extra:report, port:port, severity:SECURITY_WARNING, xsrf:TRUE);
Redhat
advisories |
|
References
- http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt
- http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt
- http://www.openwall.com/lists/oss-security/2016/03/10/11
- http://www.openwall.com/lists/oss-security/2016/03/10/11
- http://www.securityfocus.com/bid/84321
- http://www.securityfocus.com/bid/84321
- http://www.securitytracker.com/id/1035327
- http://www.securitytracker.com/id/1035327
- https://access.redhat.com/errata/RHSA-2016:1424
- https://access.redhat.com/errata/RHSA-2016:1424
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E