Debian DLA-3657-1 : activemq - LTS security update

critical Nessus Plugin ID 186019

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3657 advisory.

- Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the jmxrmi entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12. (CVE-2020-13920)

- The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password. (CVE-2021-26117)

- The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
(CVE-2023-46604)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the activemq packages.

For Debian 10 buster, these problems have been fixed in version 5.15.16-0+deb10u1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054909

https://security-tracker.debian.org/tracker/source-package/activemq

https://www.debian.org/lts/security/2023/dla-3657

https://security-tracker.debian.org/tracker/CVE-2020-13920

https://security-tracker.debian.org/tracker/CVE-2021-26117

https://security-tracker.debian.org/tracker/CVE-2023-46604

https://packages.debian.org/source/buster/activemq

Plugin Details

Severity: Critical

ID: 186019

File Name: debian_DLA-3657.nasl

Version: 1.4

Type: local

Agent: unix

Published: 11/20/2023

Updated: 5/2/2024

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2021-26117

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2023-46604

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:activemq, p-cpe:/a:debian:debian_linux:libactivemq-java

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/20/2023

Vulnerability Publication Date: 9/10/2020

CISA Known Exploited Vulnerability Due Dates: 11/23/2023

Exploitable With

Core Impact

Metasploit (Apache ActiveMQ Unauthenticated Remote Code Execution)

Reference Information

CVE: CVE-2020-13920, CVE-2021-26117, CVE-2023-46604

IAVB: 2021-B-0009-S, 2023-B-0086-S