[RHSA-2013:1221-01] Important: Fuse Message Broker 5.5.1 security update

bugzilla at redhat.com bugzilla at redhat.com
Mon Sep 9 17:04:00 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Fuse Message Broker 5.5.1 security update
Advisory ID:       RHSA-2013:1221-01
Product:           Fuse Enterprise Middleware
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2013-1221.html
Issue date:        2013-09-09
CVE Names:         CVE-2013-3060 
=====================================================================

1. Summary:

An update for the Apache ActiveMQ component of Fuse Message Broker 5.5.1
that fixes one security issue is now available from the Red Hat Customer
Portal.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

2. Description:

Fuse Message Broker is a messaging platform based on Apache ActiveMQ that
provides SOA infrastructure to connect processes across heterogeneous
systems.

It was found that, by default, the Apache ActiveMQ web console did not
require authentication. A remote attacker could use this flaw to modify the
state of the Apache ActiveMQ environment, obtain sensitive information, or
cause a denial of service. (CVE-2013-3060)

This update delivers a README file which describes how to manually
configure an XML properties file to fix this flaw. Back up existing Fuse
Message Broker configuration files before making changes.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Back up existing Fuse Message Broker
configuration files before making changes.

4. Bugs fixed (http://bugzilla.redhat.com/):

955908 - CVE-2013-3060 activemq: Unauthenticated access to web console

5. References:

https://www.redhat.com/security/data/cve/CVE-2013-3060.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.message.apache&downloadType=securityPatches&version=5.5.1-fuse-10

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFSLf9tXlSAg2UNWIIRAmHQAJ0fcyfu+nUkyiYjdR9eEEHu0H9TUgCdERmP
S2SpsusgerLppqPIKmIGl1o=
=Qvp+
-----END PGP SIGNATURE-----

More information about the Jboss-watch-list mailing list