RHSA-2013:1221 - Security Advisory

Topic

An update for the Apache ActiveMQ component of Fuse Message Broker 5.5.1
that fixes one security issue is now available from the Red Hat Customer
Portal.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Description

Fuse Message Broker is a messaging platform based on Apache ActiveMQ that
provides SOA infrastructure to connect processes across heterogeneous
systems.

It was found that, by default, the Apache ActiveMQ web console did not
require authentication. A remote attacker could use this flaw to modify the
state of the Apache ActiveMQ environment, obtain sensitive information, or
cause a denial of service. (CVE-2013-3060)

This update delivers a README file which describes how to manually
configure an XML properties file to fix this flaw. Back up existing Fuse
Message Broker configuration files before making changes.

Solution

The References section of this erratum contains a download link (you must
log in to download the update). Back up existing Fuse Message Broker
configuration files before making changes.

Affected Products

• Red Hat Fuse 1 x86_64

Fixes

• BZ - 955908 - CVE-2013-3060 activemq: Unauthenticated access to web console

CVEs

• CVE-2013-3060

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.message.apache&downloadType=securityPatches&version=5.5.1-fuse-10