Lucene search

K
threatpostLindsey O'DonnellTHREATPOST:F4E55A49AA6C91CFECF5F68BA7F0B91F
HistoryAug 24, 2018 - 3:25 p.m.

Cross-Site Scripting Flaw in Apache ActiveMQ Threatens Web Visitors

2018-08-2415:25:01
Lindsey O'Donnell
threatpost.com
18
apache activemq
cross-site scripting
remote attacker
vulnerability
message broker
content-based routing
security vulnerability
activemq version 5.15.5
trustwave spiderlab
xss attack
web client
exploit
malicious code
web browser
remote code-execution
apache struts 2
vulnerable installations

EPSS

0.348

Percentile

97.1%

Researchers have found a cross-site scripting (XSS) flaw in Apache ActiveMQ that could enable a remote attacker with no privileges to launch an array of attacks against visitors to compromised websites.

The vulnerability (CVE-2018-8006) was disclosed today and impacts ActiveMQ versions earlier than 5.15.5.

Apache ActiveMQ is an open-source message broker, which acts as a middle man to communicate data between other software. The flaw targets the โ€œQueueFilterโ€ parameter within ActiveMQ, which exists to apply content-based routing filters for the data that ActiveMQ is brokering between pieces of software.

Bruno Oliveira, security researcher with Trustwave Spiderlab, discovered the flaw. Essentially, an attacker would only need to feed a URL-encoded script to the parameter (http://localhost:8161/admin/queues.jsp?QueueFilter=yu1ey"><script>alert(%22Spi derLabs%22)%3c%2fscript%3eqb68) in the URI, researchers said, to trigger an exploit.

โ€œXSS bugs do not affect the web server, but rather the web clients (browsers) that visit the affected website,โ€ Karl Sigler, threat intelligence manager SpiderLabs at Trustwave, told Threatpost. โ€œXSS allow an attacker to embed their own scripts and code into the website and have that code executed whenever the client visits the specific URL.โ€

With the malicious code embedded in the website, the attacker can then piggyback on the trust level of the website and launch a variety of attacks, Sigler said. Those may include triggering a pop-up asking the user for their credentials, prompting the user to install malicious software or browser plugins via a fake โ€œupdateโ€ prompt or exploiting vulnerabilities in the web browser itself.

โ€œNo privileges are necessary,โ€ Sigler told us. โ€œThe attackers only need access to the ActiveMQ software remotely (potentially from across the internet if ActiveMQ is exposed publicly to the internet). The attack itself is incredibly easy to exploit and XSS bugs like these consistently rank in the top 10 web application vulnerabilities.โ€

While the attack can be launched remotely, Sigler said XSS vulnerabilities are generally considered medium severity as they still require the tricky combination of a vulnerable website and the added effort of convincing victims to visit a malicious URL that exploits the vulnerability.

โ€œThe combination of those requirements make it less severe than a direct remote code-execution vulnerability,โ€ he said.

Itโ€™s difficult to estimate how many systems are impacted, Sigler said โ€“ it depends on how many installations of ActiveMQ exist and how exposed those vulnerable instances are to the internet.

The flaw was reported to Apache April 27 and has been patched: โ€œApache was very responsive and cooperative throughout the disclosure process,โ€ Sigler said. Apache fixed the bug in ActiveMQ version 5.15.5 โ€“ so users with earlier versions should upgrade.

Apache has had a busy week- earlier this week the company said it has patched a critical remote code-execution vulnerability in Apache Struts 2, the popular open-source framework for developing web applications in the Java programming language, which is threatening a wide range of applications, even when no additional plugins were enabled.