Your message dated Fri, 21 Nov 2014 13:34:04 +0000
with message-id <e1xrolc-00042b...@franck.debian.org>
and subject line Bug#769887: fixed in activemq 5.6.0+dfsg1-3
has caused the Debian Bug report #769887,
regarding Apache ActiveMQ Packaged with JMX/RMI Enabled
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
769887: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769887
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: activemq
Version: 5.6.0+dfsg-1
It looks like Apache ActiveMQ as packaged for Debian comes with JMX/RMI service
listening on all network interfaces and allowing for unauthenticated access.
Achieving system command execution is as simple as querying JMX for the RMI
registry endpoint port number, setting up a local proxy, deploying and
executing a malicious managed bean as outlined in this blog post[1].
It may be worth revising the way you ship ActiveMQ and eventually consider
limiting JMX access to localhost.
The commands below bring up ActiveMQ using the default configuration.
$ sudo ln -s /etc/activemq/instances-available/main
/etc/activemq/instances-enabled/main
$ sudo /etc/init.d/activemq start
* Starting ActiveMQ instance activemq [ OK ]
$
[1] http://www.accuvant.com/blog/exploiting-jmx-rmi
--- End Message ---
--- Begin Message ---
Source: activemq
Source-Version: 5.6.0+dfsg1-3
We believe that the bug you reported is fixed in the latest version of
activemq, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 769...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebo...@apache.org> (supplier of updated activemq package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 21 Nov 2014 14:02:16 +0100
Source: activemq
Binary: libactivemq-java libactivemq-java-doc activemq
Architecture: source all
Version: 5.6.0+dfsg1-3
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebo...@apache.org>
Description:
activemq - Java message broker - server
libactivemq-java - Java message broker core libraries
libactivemq-java-doc - Java message broker core libraries - documentation
Closes: 769887
Changes:
activemq (5.6.0+dfsg1-3) unstable; urgency=high
.
* Team upload.
* Disable JMX by default (Closes: #769887)
Checksums-Sha1:
bc5caf0c51a436d626fa5dbc78e12101c548182d 3353 activemq_5.6.0+dfsg1-3.dsc
93c54a06db8518fb950f945e087a019c7141217e 15328
activemq_5.6.0+dfsg1-3.debian.tar.xz
be01bdab5d61b20c4330ef0750418c6466b48372 3578066
libactivemq-java_5.6.0+dfsg1-3_all.deb
97d305434e5efcfc31465104bf86544fc0a6aa9c 3514482
libactivemq-java-doc_5.6.0+dfsg1-3_all.deb
983a60d3fe2af010ed76d8f37e034ff651039a0b 49104 activemq_5.6.0+dfsg1-3_all.deb
Checksums-Sha256:
eb47eb80c191d2ecbd45b88757db8333f5b2522e788fbc1d085f1e8befc315cb 3353
activemq_5.6.0+dfsg1-3.dsc
644d9cfeace25936feaf53a55055d8fc7bfa2fcace96c858fb36266abf0e8ce8 15328
activemq_5.6.0+dfsg1-3.debian.tar.xz
de6d0a85d2775ae353a8403cc5ae883e7a2c4500d77d2666ea2a59082ca03cb1 3578066
libactivemq-java_5.6.0+dfsg1-3_all.deb
d00571cac47f25958cfdb77c56f7f7d50b6186bd3b2f38d2e63b30975077ee7c 3514482
libactivemq-java-doc_5.6.0+dfsg1-3_all.deb
9c7b61170f588bb021e11193f38a40b4e869ede77f872c5c0ee262cf0f5e6350 49104
activemq_5.6.0+dfsg1-3_all.deb
Files:
402f18f3d528ad47f573d523e75cc336 3353 java optional activemq_5.6.0+dfsg1-3.dsc
cc9a27d6519b6cc5c4f7452539f52046 15328 java optional
activemq_5.6.0+dfsg1-3.debian.tar.xz
0f200eb8ebd39b3f9dabb2dbb54bd858 3578066 java optional
libactivemq-java_5.6.0+dfsg1-3_all.deb
7dba435a4bfa13e38c3653c399ea4c02 3514482 doc optional
libactivemq-java-doc_5.6.0+dfsg1-3_all.deb
7447b73271f40738512aad895786cde8 49104 java optional
activemq_5.6.0+dfsg1-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUbzwvAAoJEPUTxBnkudCshWAP/0cGxVhKOO756uN7ZtAfcITQ
cI4Lb9e8rucchDsGtHuaH9YYSaOoO5utKLx/Xae0a5+qSaJrumdeni33uYiBKYOl
Fn1BCmt0EYQgzGR/3+2/YXuuyEPm+8bzoyo4IOXLjVk6TLmyPg/4untVhR6glLVF
TXKPIb6LS81thYSH5B8UEUDfyRsPSyZa+grV+dDlVU6aZRHnKouv3PA82V+Sv1Et
TYpPzrIgARP/FlR0ZSDXEuWJdxaGkER72TXqxTIn893llicRT9FXBEmlldkLfX0R
DtsTrVqf+x8+BdF8TF4Fd2LNL02EyCQMTCORHvhMEfcdb6Fx5N4FWRZmK/icNxc4
y3QPRtXfwY796/UQMCHHi4ybjFEvVXR13uml3HycpUpAFkjxmuf62uUlFXvZLCCb
QvHRQZsV6WhqZ4B2H7K73vU8eM26HMu9uFEivyaMUQtLdjRvLLljFw+pIzss4vpd
Dub1/7VcGmrvv/+b8BwVVEfuivaZqvVDXqMoxJ515r7mDZppxM/KOSIMjtXzSzNz
Rs4TbTwIWXTMSpVJwD0JWfPwyX1VGvwshlKBRVBKvcCA5c1urxxlU6UKoDSIqX08
95keLCkzLL14rvF4mK60AQm3qO+F4GGE+Ap4BiNFvA8Xxa/gdzvZhHvmAolICaGZ
putiYlGBtGHSg6JncEsz
=bhk9
-----END PGP SIGNATURE-----
--- End Message ---
