Aerosol Posted March 10, 2015 Report Posted March 10, 2015 Two critical bugs in the commonly used Apache ActiveMQ open source messaging and Integration Patterns server are leaving businesses open to denial-of-service (DoS) and brute force cyber attacks.Researchers at MWR InfoSecurity Labs reported identifying the bugs, warning they affect Apache ActiveMQ versions 5.0.0 to 5.10.0 and Apache ActiveMQ Apollo versions 1.0 to 1.7.The flaws reportedly stem from the way Apache ActiveMQ performs Lightweight Directory Access Protocol (LDAP) authentication."A vulnerability was identified in ActiveMQ in the way it handles content-based subscriptions, which allows an adversary to trigger processing of XML external entities (XXE)," read the advisory."Apache ActiveMQ Apollo, which is another MQ implementation built for reliability and performance and originally based on ActiveMQ, was also found to be affected by this vulnerability."The researchers added the flaws are dangerous as they could be exploited for a variety of purposes."In order to successfully exploit this vulnerability, an attacker has to act on behalf of both a publisher and a consumer," read the advisory."An attacker who is able to push and pull from a message queue can use this flaw to perform DTD-based DoS attacks, server-side request forgery or read local files, accessible to the user running the MQ broker, from the server."It is currently unclear whether hackers are actively exploiting the flaw. MWE InfoSecurity had not responded to V3's request for comment at the time of publishing.The flaw is dangerous as Apache ActiveMQ is a commonly used open source message broker service.Written in Java, Apache ActiveMQ is designed to facilitate communications between multiple clients or servers.The news follows the discovery of several critical flaws affecting other commonly used open source tools and services. Researchers reported uncovering the notorious Heartbleed flaw in April 2014.Heartbleed is a flaw in the OpenSSL implementation of the Transport Layer Security protocol used by open source web servers such as Apache and Nginx, which host around 66 percent of all sites.In a recent interview with V3, Maarten Ectors, Canonical's vice president of next-generation networks and proximity cloud, argued the nature of open source software development means further Heartbleed-level flaws will be discovered in the very near future.Source Quote