(RHSA-2013:1029) Important: Fuse MQ Enterprise 7.1.0 update

Fuse MQ Enterprise, based on Apache ActiveMQ, is a standards compliant
messaging system that is tailored for use in mission critical applications.

This release of Fuse MQ Enterprise 7.1.0 roll up patch 1 is an update to
Fuse MQ Enterprise 7.1.0 and includes bug fixes. Refer to the readme file
included with the patch files for information about the bug fixes.

The following security issues are also fixed with this release:

It was found that, by default, the Apache ActiveMQ web console did not
require authentication. A remote attacker could use this flaw to modify the
state of the Apache ActiveMQ environment, obtain sensitive information, or
cause a denial of service. (CVE-2013-3060)

Multiple cross-site scripting (XSS) flaws were found in the Apache ActiveMQ
demo web applications. A remote attacker could use these flaws to inject
arbitrary web script or HTML on pages displayed by the demo web
applications. (CVE-2012-6092)

It was found that a sample Apache ActiveMQ application was deployed by
default. A remote attacker could use this flaw to send the sample
application requests, allowing them to consume all available broker
resources. (CVE-2012-6551)

A stored cross-site scripting (XSS) flaw was found in the way Apache
ActiveMQ handled cron jobs. A remote attacker could use this flaw to
perform an XSS attack against users viewing the scheduled.jsp page.
(CVE-2013-1879)

A reflected cross-site scripting (XSS) flaw was found in the
portfolioPublish servlet of the Apache ActiveMQ demo web applications. A
remote attacker could use this flaw to inject arbitrary web script or
HTML. (CVE-2013-1880)

Note: All of the above flaws only affected the distribution of Apache
ActiveMQ included in the extras directory of the Fuse MQ Enterprise
distribution. The Fuse MQ Enterprise product itself was not affected by any
of the above flaws.

The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp/ when the native libraries were bundled in a JAR file, and no
custom library path was specified. A local attacker could overwrite these
native libraries with malicious versions during the window between when
HawtJNI writes them and when they are executed. (CVE-2013-2035)

The CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat
Product Security Team.

All users of Fuse MQ Enterprise 7.1.0 as provided from the Red Hat Customer
Portal are advised to upgrade to Fuse MQ Enterprise 7.1.0 roll up patch 1.