oss-security - CVE-2020-13931 Apache TomEE - Incorrect config on JMS Resource Adapter can lead to JMX being enabled

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <CAGRgoZh0pZ4LP0s3za98GDqkuLJimhMQugOU4X4h8Rcq444mUg@mail.gmail.com>
Date: Wed, 16 Dec 2020 16:31:08 +0000
From: Jonathan Gallimore <jonathan.gallimore@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2020-13931 Apache TomEE - Incorrect config on JMS Resource
 Adapter can lead to JMX being enabled

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache TomEE 8.0.0-M1 - 8.0.3
Apache TomEE 7.1.0 - 7.1.3
Apache TomEE 7.0.0-M1 - 7.0.8
Apache TomEE 1.0.0 - 1.7.5

Description:
If Apache TomEE is configured to use the embedded ActiveMQ broker, and the
broker config is misconfigured, a JMX port is opened on TCP port 1099,
which does not include authentication. CVE-2020-11969 previously addressed
the creation of the JMX management interface, however the incomplete fix
did not cover this edge case.

Mitigation:
- Upgrade to TomEE 7.0.9 or later
- Upgrade to TomEE 7.1.4 or later
- Upgrade to TomEE 8.0.4 or later

Ensure the correct VM broker name is used consistently across the resource
adapter config.

Credit: Thanks to Frans Henskens for discovering and reporting this issue.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.