The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3657 advisory.
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the jmxrmi entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12. (CVE-2020-13920)
The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password. (CVE-2021-26117)
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
(CVE-2023-46604)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-3657. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(186019);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/20");
script_cve_id("CVE-2020-13920", "CVE-2021-26117", "CVE-2023-46604");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2023/11/23");
script_xref(name:"IAVB", value:"2021-B-0009-S");
script_xref(name:"IAVB", value:"2023-B-0086");
script_name(english:"Debian DLA-3657-1 : activemq - LTS security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dla-3657 advisory.
- Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server
to the jmxrmi entry. It is possible to connect to the registry without authentication and call the
rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the
original, and bound that, he effectively becomes a man in the middle and is able to intercept the
credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12. (CVE-2020-13920)
- The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In
this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions
5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in
no check on the password. (CVE-2021-26117)
- The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow
a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary
shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client
or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade
both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
(CVE-2023-46604)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054909");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/activemq");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/lts/security/2023/dla-3657");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2020-13920");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-26117");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-46604");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/buster/activemq");
script_set_attribute(attribute:"solution", value:
"Upgrade the activemq packages.
For Debian 10 buster, these problems have been fixed in version 5.15.16-0+deb10u1.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-26117");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-46604");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Apache ActiveMQ Unauthenticated Remote Code Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/09/10");
script_set_attribute(attribute:"patch_publication_date", value:"2023/11/20");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/20");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:activemq");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libactivemq-java");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(10)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '10.0', 'prefix': 'activemq', 'reference': '5.15.16-0+deb10u1'},
{'release': '10.0', 'prefix': 'libactivemq-java', 'reference': '5.15.16-0+deb10u1'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var _release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (_release && prefix && reference) {
if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'activemq / libactivemq-java');
}
Vendor | Product | Version | CPE |
---|---|---|---|
debian | debian_linux | activemq | p-cpe:/a:debian:debian_linux:activemq |
debian | debian_linux | libactivemq-java | p-cpe:/a:debian:debian_linux:libactivemq-java |
debian | debian_linux | 10.0 | cpe:/o:debian:debian_linux:10.0 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13920
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26117
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46604
bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054909
packages.debian.org/source/buster/activemq
security-tracker.debian.org/tracker/CVE-2020-13920
security-tracker.debian.org/tracker/CVE-2021-26117
security-tracker.debian.org/tracker/CVE-2023-46604
security-tracker.debian.org/tracker/source-package/activemq
www.debian.org/lts/security/2023/dla-3657