[CVE-2017-15709]Apache ActiveMQ Information Leak

2017年的第二个cve

问题原因：

Apache ActiveMQ默认消息队列61616端口对外，61616端口使用了OpenWire协议，这个端口会暴露服务器相关信息，这些相关信息实际上是debug信息。

会返回应用名称，JVM，操作系统以及内核版本等信息。

影响版本：

apache-activemq-5.15.0 to apache-activemq-5.15.2
apache-activemq-5.14.0 to apache-activemq-5.14.5
漏洞修复：


测试用例：

修复前：

@Test -    public void testClientProperties() throws Exception{ -        BrokerService service = createBrokerService(); -        try { -            ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(new URI(brokerUri)); -            ActiveMQConnection conn = (ActiveMQConnection)factory.createConnection(); -            final AtomicReference<WireFormatInfo> clientWf = new AtomicReference<WireFormatInfo>(); -            conn.addTransportListener(new DefaultTransportListener() { -                @Override -                public void onCommand(Object command) { -                    if (command instanceof WireFormatInfo) { -                        clientWf.set((WireFormatInfo)command); -                    } -                } -            }); -            conn.start(); -            if (clientWf.get() == null) { -                fail("Wire format info is null"); -            } -            assertTrue(clientWf.get().getProperties().containsKey("ProviderName")); -            assertTrue(clientWf.get().getProperties().containsKey("ProviderVersion")); -            assertTrue(clientWf.get().getProperties().containsKey("PlatformDetails")); -            assertTrue(clientWf.get().getProviderName().equals(ActiveMQConnectionMetaData.PROVIDER_NAME)); -            assertTrue(clientWf.get().getPlatformDetails().equals(ActiveMQConnectionMetaData.PLATFORM_DETAILS)); -        } finally { -            stopBroker(service); 

修复后：

+    public void testClientPropertiesWithDefaultPlatformDetails() throws Exception{ +        WireFormatInfo clientWf = testClientProperties(brokerUri); +        assertTrue(clientWf.getPlatformDetails().equals(ActiveMQConnectionMetaData.DEFAULT_PLATFORM_DETAILS)); +    } + +    @Test +    public void testClientPropertiesWithPlatformDetails() throws Exception{ +        WireFormatInfo clientWf = testClientProperties(brokerUri + "?wireFormat.includePlatformDetails=true"); +        assertTrue(clientWf.getPlatformDetails().equals(ActiveMQConnectionMetaData.PLATFORM_DETAILS)); +    } + +    private WireFormatInfo testClientProperties(String brokerUri) throws Exception { +        ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(new URI(brokerUri)); +        ActiveMQConnection conn = (ActiveMQConnection)factory.createConnection(); +        conn.start(); + +        assertTrue(connector.getConnections().size() == 1); +        final WireFormatInfo clientWf = connector.getConnections().get(0).getRemoteWireFormatInfo(); +        if (clientWf == null) { +            fail("Wire format info is null");          } + +        //verify properties that the client sends to the broker +        assertTrue(clientWf.getProperties().containsKey("ProviderName")); +        assertTrue(clientWf.getProperties().containsKey("ProviderVersion")); +        assertTrue(clientWf.getProperties().containsKey("PlatformDetails")); +        assertTrue(clientWf.getProviderName().equals(ActiveMQConnectionMetaData.PROVIDER_NAME)); + +        return clientWf;      } 

修复版本：

Apache Active MQ 5.14.6

Apache Active MQ 5.15.3

Apache Active MQ 5.16.0

官方公布的草案：

CVE-2017-15709 - Information Leak  Severity: Low  Vendor: The Apache Software Foundation  Versions Affected: Apache ActiveMQ 5.14.0 - 5.15.2  Description:  When using the OpenWire protocol it was found that certain system details (such as the OS and kernel version) are exposed as plain text.  Mitigation:  Use a TLS enabled transport or upgrade to Apache ActiveMQ 5.14.6 or 5.15.3.     Credit:  This issue was discovered by QingTeng cloud Security of Minded Security Researcher jianan.huang 

参考信息：

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15709

https://issues.apache.org/jira/browse/AMQ-6871

http://activemq.apache.org/security-advisories.html

http://activemq.apache.org/security-advisories.data/CVE-2017-15709-announcement.txt