Spring has been getting rather unseasonably hot for Apache users as far as security flaws go. First there was news of how the FREAK (Factoring Attack on RSA-EXPORT Keys) vulnerability could impact Apache. For more on FREAK see this excellent analysis by Matthew Green, a cryptographer and research professor at Johns Hopkins University. Green points out that "Apache mod_ssl by default will generate a single export-grade RSA key when the server starts up, and will simply re-use that key for the lifetime of that server. What this means is that you can obtain that RSA key once, factor it, and break every session you can get your 'man in the middle' mitts on until the server goes down." How serious the FREAK thing is open to plenty of debate in the IT security world right now, what with both clients and servers being patched and the technicalities of the attack less than straightforward for non state sponsored actors in the real world.

However, that still leaves the second bit of bad news on the Apache front: ActiveMQ LDAP Wildcard Interpretation. Researchers from MWR InfoSecurity Labs have identified two weaknesses in the way Apache ActiveMQ performs LDAP authentication. The vulnerabilities allow for leveraging the unauthenticated authentication mechanism, when supported by the remote LDAP service, or abuse an LDAP wildcard expansion weakness. The unauthenticated authentication mechanism may be used for performing unauthenticated Bind with an LDAP service. The wildcard interpretation weakness allows for brute forcing a password, for an unknown but valid account, as opposed to brute forcing a combination of username and password.

More information and the technical details on Apache ActiveMQ LDAP Wildcard Interpretation can be found here.

In addition, MWR Labs found that the Apache ActiveMQ and ActiveMQ Apollo messaging brokers are susceptible to XML external entities attacks when handling subscriptions with XPath based selectors. So an attacker who is able to push and pull from a message queue can use this flaw to perform DTD-based DoS attacks, server-side request forgery or read local files, accessible to the user running the MQ broker, from the server.

More information regarding Apache ActiveMQ and ActiveMQ Apollo XML External Entity Data Parsing can be found here.