Date: Wed, 16 Dec 2020 16:31:08 +0000 From: Jonathan Gallimore <jonathan.gallimore@...il.com> To: oss-security@...ts.openwall.com Subject: CVE-2020-13931 Apache TomEE - Incorrect config on JMS Resource Adapter can lead to JMX being enabled Severity: High Vendor: The Apache Software Foundation Versions Affected: Apache TomEE 8.0.0-M1 - 8.0.3 Apache TomEE 7.1.0 - 7.1.3 Apache TomEE 7.0.0-M1 - 7.0.8 Apache TomEE 1.0.0 - 1.7.5 Description: If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on TCP port 1099, which does not include authentication. CVE-2020-11969 previously addressed the creation of the JMX management interface, however the incomplete fix did not cover this edge case. Mitigation: - Upgrade to TomEE 7.0.9 or later - Upgrade to TomEE 7.1.4 or later - Upgrade to TomEE 8.0.4 or later Ensure the correct VM broker name is used consistently across the resource adapter config. Credit: Thanks to Frans Henskens for discovering and reporting this issue.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.