SynopsisThe remote host has a web application installed that is affected by multiple vulnerabilities.
DescriptionThe version of Apache ActiveMQ running on the remote host is 5.x prior to 5.10.1 / 5.11.0. It is, therefore, potentially affected by multiple vulnerabilities :
- An unauthenticated, remote attacker can crash the broker listener by sending a packet to the same port that a message consumer or product connects to, resulting in a denial of service condition. (CVE-2014-3576)
- An XML external entity (XXE) injection vulnerability exists that is related to XPath selectors. A remote attacker can exploit this, via specially crafted XML data, to disclose the contents of arbitrary files.
- A flaw exists in the LDAPLoginModule of the Java Authentication and Authorization Service (JAAS) which can be triggered by the use of wildcard operators instead of a username or by invalid passwords. A remote attacker can exploit this to bypass authentication.
- Multiple cross-site scripting (XSS) vulnerabilities exist in the web administrative console. (CVE-2014-8110)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to version 5.10.1 / 5.11.0 or later.