Vulnerability issue with Apache geronimo jars in ActiveMQ Latest version.

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Vulnerability issue with Apache geronimo jars in ActiveMQ Latest version.

Abhilash
Hi,

We are using Apache-activemq-5.13 version.This version contains Apache
Geronimo jars.Below mentioned.

1.geronimo-annotation_1.0_spec-1.1.1.jar
2.geronimo-j2ee-connector_1.5_spec-2.0.0.jar
3.geronimo-j2ee-management_1.1_spec-1.0.1.jar
4.geronimo-jms_1.1_spec-1.1.1.jar
5.geronimo-jta_1.0.1B_spec-1.0.1.jar

This showing vulnerability with code insight and it says Hash collision
issue.
How to fix this issue.Please suggest this.?



--
Sent from: http://apache-geronimo.328035.n3.nabble.com/Users-f328036.html
Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability issue with Apache geronimo jars in ActiveMQ Latest version.

Mark Struberg
Hi Munna!

Do you have an example code? Classname, method and line number would really help!
Not quite sure where there would be a hash collision.

txs and LieGrue,
strub


> Am 01.07.2018 um 14:13 schrieb Munna <[hidden email]>:
>
> Hi,
>
> We are using Apache-activemq-5.13 version.This version contains Apache
> Geronimo jars.Below mentioned.
>
> 1.geronimo-annotation_1.0_spec-1.1.1.jar
> 2.geronimo-j2ee-connector_1.5_spec-2.0.0.jar
> 3.geronimo-j2ee-management_1.1_spec-1.0.1.jar
> 4.geronimo-jms_1.1_spec-1.1.1.jar
> 5.geronimo-jta_1.0.1B_spec-1.0.1.jar
>
> This showing vulnerability with code insight and it says Hash collision
> issue.
> How to fix this issue.Please suggest this.?
>
>
>
> --
> Sent from: http://apache-geronimo.328035.n3.nabble.com/Users-f328036.html

Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability issue with Apache geronimo jars in ActiveMQ Latest version.

Abhilash
No, There is no class mentioned in the report.

Report just says as below Apache activeMQ has these jars and this may lead
to hash collisions.

Apache Geronimo 2.2.1 and earlier computes hash values for form parameters
without restricting the ability to trigger hash collisions predictably,
which allows remote attackers to cause a denial of service (CPU consumption)
by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.

You can see this in below link :
https://nvd.nist.gov/vuln/detail/CVE-2011-5034

Here it says solution as replace latest apache geronimo jar but this part of
Apache activemq latest version and not using independent jars.How can i fix
it.?

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5034





--
Sent from: http://apache-geronimo.328035.n3.nabble.com/Users-f328036.html
Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability issue with Apache geronimo jars in ActiveMQ Latest version.

Mark Struberg
Ohh, that's really a false positive :(

From the CVE-2011-5034:

> Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting

This only affects the Apache Geronimo Application Server - which is now retired btw.
And there it affects HTTP post parameter parsing afaict.

It has nothing to do with the spec jars you listed. Those are really clean.


LieGrue,
strub


> Am 02.07.2018 um 07:38 schrieb Munna <[hidden email]>:
>
> No, There is no class mentioned in the report.
>
> Report just says as below Apache activeMQ has these jars and this may lead
> to hash collisions.
>
> Apache Geronimo 2.2.1 and earlier computes hash values for form parameters
> without restricting the ability to trigger hash collisions predictably,
> which allows remote attackers to cause a denial of service (CPU consumption)
> by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
>
> You can see this in below link :
> https://nvd.nist.gov/vuln/detail/CVE-2011-5034
>
> Here it says solution as replace latest apache geronimo jar but this part of
> Apache activemq latest version and not using independent jars.How can i fix
> it.?
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5034
>
>
>
>
>
> --
> Sent from: http://apache-geronimo.328035.n3.nabble.com/Users-f328036.html

Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability issue with Apache geronimo jars in ActiveMQ Latest version.

Mark Struberg
Btw, which tool are you using to scan for security problems? We should report this to the tool vendor.

txs and LieGrue,
strub

> Am 02.07.2018 um 08:54 schrieb Mark Struberg <[hidden email]>:
>
> Ohh, that's really a false positive :(
>
> From the CVE-2011-5034:
>
>> Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting
>
> This only affects the Apache Geronimo Application Server - which is now retired btw.
> And there it affects HTTP post parameter parsing afaict.
>
> It has nothing to do with the spec jars you listed. Those are really clean.
>
>
> LieGrue,
> strub
>
>
>> Am 02.07.2018 um 07:38 schrieb Munna <[hidden email]>:
>>
>> No, There is no class mentioned in the report.
>>
>> Report just says as below Apache activeMQ has these jars and this may lead
>> to hash collisions.
>>
>> Apache Geronimo 2.2.1 and earlier computes hash values for form parameters
>> without restricting the ability to trigger hash collisions predictably,
>> which allows remote attackers to cause a denial of service (CPU consumption)
>> by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
>>
>> You can see this in below link :
>> https://nvd.nist.gov/vuln/detail/CVE-2011-5034
>>
>> Here it says solution as replace latest apache geronimo jar but this part of
>> Apache activemq latest version and not using independent jars.How can i fix
>> it.?
>>
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5034
>>
>>
>>
>>
>>
>> --
>> Sent from: http://apache-geronimo.328035.n3.nabble.com/Users-f328036.html
>

Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability issue with Apache geronimo jars in ActiveMQ Latest version.

Abhilash
Thanks Mike for your help,
We are Third party tool called Code insight.



--
Sent from: http://apache-geronimo.328035.n3.nabble.com/Users-f328036.html