Spring has been getting rather unseasonably hot for Apache users as far as security flaws go. First there was news of how the FREAK (Factoring Attack on RSA-EXPORT Keys) vulnerability could impact Apache. For more on FREAK see this excellent analysis by Matthew Green, a cryptographer and research professor at Johns Hopkins University. Green points out that "Apache mod_ssl by default will generate a single export-grade RSA key when the server starts up, and will simply re-use that key for the lifetime of that server. What this means is that you can obtain that RSA key once, factor it, and break every session you can get your 'man in the middle' mitts on until the server goes down." How serious the FREAK thing is open to plenty of debate in the IT security world right now, what with both clients and servers being patched and the technicalities of the attack less than straightforward for non state sponsored actors in the real world.

However, that still leaves the second bit of bad news on the Apache front: ActiveMQ LDAP Wildcard Interpretation. Researchers from MWR InfoSecurity Labs have identified two weaknesses in the way Apache ActiveMQ performs LDAP authentication. The vulnerabilities allow for leveraging the unauthenticated authentication mechanism, when supported by the remote LDAP service, or abuse an LDAP wildcard expansion weakness. The unauthenticated authentication mechanism may be used for performing unauthenticated Bind with an LDAP service. The wildcard interpretation weakness allows for brute forcing a password, for an unknown but valid account, as opposed to brute forcing a combination of username and password.

More information and the technical details on Apache ActiveMQ LDAP Wildcard Interpretation can be found here.

In addition, MWR Labs found that the Apache ActiveMQ and ActiveMQ Apollo messaging brokers are susceptible to XML external entities attacks when handling subscriptions with XPath based selectors. So an attacker who is able to push and pull from a message queue can use this flaw to perform DTD-based DoS attacks, server-side request forgery or read local files, accessible to the user running the MQ broker, from the server.

More information regarding Apache ActiveMQ and ActiveMQ Apollo XML External Entity Data Parsing can be found here.

168 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...