Researchers have found a cross-site scripting (XSS) flaw in Apache ActiveMQ that could enable a remote attacker with no privileges to launch an array of attacks against visitors to compromised websites.
The vulnerability (CVE-2018-8006) was disclosed today and impacts ActiveMQ versions earlier than 5.15.5.
Apache ActiveMQ is an open-source message broker, which acts as a middle man to communicate data between other software. The flaw targets the “QueueFilter” parameter within ActiveMQ, which exists to apply content-based routing filters for the data that ActiveMQ is brokering between pieces of software.
Bruno Oliveira, security researcher with Trustwave Spiderlab, discovered the flaw. Essentially, an attacker would only need to feed a URL-encoded script to the parameter (http://localhost:8161/admin/queues.jsp?QueueFilter=yu1ey%22%3e%3cscript%3ealert(%22Spi derLabs%22)%3c%2fscript%3eqb68) in the URI, researchers said, to trigger an exploit.
“XSS bugs do not affect the web server, but rather the web clients (browsers) that visit the affected website,” Karl Sigler, threat intelligence manager SpiderLabs at Trustwave, told Threatpost. “XSS allow an attacker to embed their own scripts and code into the website and have that code executed whenever the client visits the specific URL.”
With the malicious code embedded in the website, the attacker can then piggyback on the trust level of the website and launch a variety of attacks, Sigler said. Those may include triggering a pop-up asking the user for their credentials, prompting the user to install malicious software or browser plugins via a fake “update” prompt or exploiting vulnerabilities in the web browser itself.
“No privileges are necessary,” Sigler told us. “The attackers only need access to the ActiveMQ software remotely (potentially from across the internet if ActiveMQ is exposed publicly to the internet). The attack itself is incredibly easy to exploit and XSS bugs like these consistently rank in the top 10 web application vulnerabilities.”
While the attack can be launched remotely, Sigler said XSS vulnerabilities are generally considered medium severity as they still require the tricky combination of a vulnerable website and the added effort of convincing victims to visit a malicious URL that exploits the vulnerability.
“The combination of those requirements make it less severe than a direct remote code-execution vulnerability,” he said.
It’s difficult to estimate how many systems are impacted, Sigler said – it depends on how many installations of ActiveMQ exist and how exposed those vulnerable instances are to the internet.
The flaw was reported to Apache April 27 and has been patched: “Apache was very responsive and cooperative throughout the disclosure process,” Sigler said. Apache fixed the bug in ActiveMQ version 5.15.5 – so users with earlier versions should upgrade.
Apache has had a busy week- earlier this week the company said it has patched a critical remote code-execution vulnerability in Apache Struts 2, the popular open-source framework for developing web applications in the Java programming language, which is threatening a wide range of applications, even when no additional plugins were enabled.