SB2021093016 - Multiple vulnerabilities in Red Hat AMQ Broker
Published: September 30, 2021 Updated: February 11, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2021-28164)
The vulnerability allows a remote attacker to gain access to sensitive informatoin.
The vulnerability exists due to insufficient validation of user-supplied input when processing special characters, passed via URI. A remote attacker can use %2e or %2e%2e segments to access protected resources within the WEB-INF directory.
Example:
http://[host]/context/%2e/WEB-INF/web.xml
2) Improper access control (CVE-ID: CVE-2021-34429)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper input validation when processing certain characters in URI. A remote attacker can send a specially crafted HTTP request with encoded characters in URI, bypass implemented security restrictions and access content of the WEB-INF directory.
3) Cleartext storage of sensitive information (CVE-ID: CVE-2021-21290)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to insecure usage of temporary files in AbstractDiskHttpData method in Netty. The application stores sensitive information in temporary file that has insecure permissions. A local user can view application's temporary file and gain access to potentially sensitive data.4) Input validation error (CVE-ID: CVE-2021-28169)
The vulnerability allows a remote attacker to gain access to sensitive information..
The vulnerability exists due to a double decoding issue when parsing URI with certain characters. A remote attacker can send requests to the ConcatServlet and WelcomeFilter and view contents of protected resources within the WEB-INF directory.
Example:
/concat?/%2557EB-INF/web.xml
5) Input validation error (CVE-ID: CVE-2020-13956)
The vulnerability allows a remote attacker to compromise the affected application.
The vulnerability exists due to insufficient validation of user-supplied input in Apache HttpClient. A remote attacker can pass request URIs to the library as java.net.URI object and force the application to pick the wrong target host for request execution.
6) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2021-21295)
The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests in io.netty:netty-codec-http2 when converting HTTP/2 to HTTP/1 streams. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
7) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2021-21409)
The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests in io.netty:netty-codec-http2 in Netty, if the request only uses a single Http2HeaderFrame with the endStream set to to true. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
8) Insufficient Session Expiration (CVE-ID: CVE-2021-34428)
The vulnerability allows an attacker to gain access to sensitive information.
The vulnerability exists due to insufficient session expiration issue. If an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated.
9) Information disclosure (CVE-ID: CVE-2021-20289)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. A remote attacker can obtain endpoint class and method names.
10) Information disclosure (CVE-ID: CVE-2021-28163)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink, the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download.
11) Improper input validation (CVE-ID: CVE-2020-27223)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the General (Eclipse Jetty) component in Oracle REST Data Services. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
12) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2021-3425)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to the AMQ Broker discloses JDBC encrypted usernames and passwords when provided in the AMQ Broker application logfile, if jdbc persistence functionality is used. A local user can read the log files and gain access to sensitive data.
13) Resource exhaustion (CVE-ID: CVE-2021-28165)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing large TLS frames. A remote attacker can send specially crafted data to the server, trigger CPU high load and perform a denial of service (DoS) attack.
14) Path traversal (CVE-ID: CVE-2021-29425)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error within the FileNameUtils.normalize method when processing directory traversal sequences, such as "//../foo", or "\..foo". A remote attacker can send a specially crafted request and verify files availability in the parent folder.
15) Improper access control (CVE-ID: CVE-2021-3763)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions for users without a role set. A remote privileged user can bypass implemented security restrictions and gain unauthorized access to the in the management console.
Remediation
Install update from vendor's website.