Jump to content

Apache ActiveMQ flaws leaving enterprise servers open to DoS attacks

Recommended Posts


Two critical bugs in the commonly used Apache ActiveMQ open source messaging and Integration Patterns server are leaving businesses open to denial-of-service (DoS) and brute force cyber attacks.

Researchers at MWR InfoSecurity Labs reported identifying the bugs, warning they affect Apache ActiveMQ versions 5.0.0 to 5.10.0 and Apache ActiveMQ Apollo versions 1.0 to 1.7.

The flaws reportedly stem from the way Apache ActiveMQ performs Lightweight Directory Access Protocol (LDAP) authentication.

"A vulnerability was identified in ActiveMQ in the way it handles content-based subscriptions, which allows an adversary to trigger processing of XML external entities (XXE)," read the advisory.

"Apache ActiveMQ Apollo, which is another MQ implementation built for reliability and performance and originally based on ActiveMQ, was also found to be affected by this vulnerability."

The researchers added the flaws are dangerous as they could be exploited for a variety of purposes.

"In order to successfully exploit this vulnerability, an attacker has to act on behalf of both a publisher and a consumer," read the advisory.

"An attacker who is able to push and pull from a message queue can use this flaw to perform DTD-based DoS attacks, server-side request forgery or read local files, accessible to the user running the MQ broker, from the server."

It is currently unclear whether hackers are actively exploiting the flaw. MWE InfoSecurity had not responded to V3's request for comment at the time of publishing.

The flaw is dangerous as Apache ActiveMQ is a commonly used open source message broker service.

Written in Java, Apache ActiveMQ is designed to facilitate communications between multiple clients or servers.

The news follows the discovery of several critical flaws affecting other commonly used open source tools and services. Researchers reported uncovering the notorious Heartbleed flaw in April 2014.

Heartbleed is a flaw in the OpenSSL implementation of the Transport Layer Security protocol used by open source web servers such as Apache and Nginx, which host around 66 percent of all sites.

In a recent interview with V3, Maarten Ectors, Canonical's vice president of next-generation networks and proximity cloud, argued the nature of open source software development means further Heartbleed-level flaws will be discovered in the very near future.


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...