Spring has been getting rather unseasonably hot for Apache users as far as security flaws go. First there was news of how the FREAK (Factoring Attack on RSA-EXPORT Keys) vulnerability could impact Apache. For more on FREAK see this excellent analysis by Matthew Green, a cryptographer and research professor at Johns Hopkins University. Green points out that "Apache mod_ssl by default will generate a single export-grade RSA key when the server starts up, and will simply re-use that key for the lifetime of that server. What this means is that you can obtain that RSA key once, factor it, and break every session you can get your 'man in the middle' mitts on until the server goes down." How serious the FREAK thing is open to plenty of debate in the IT security world right now, what with both clients and servers being patched and the technicalities of the attack less than straightforward for non state sponsored actors in the real world.

However, that still leaves the second bit of bad news on the Apache front: ActiveMQ LDAP Wildcard Interpretation. Researchers from MWR InfoSecurity Labs have identified two weaknesses in the way Apache ActiveMQ performs LDAP authentication. The vulnerabilities allow for leveraging the unauthenticated authentication mechanism, when supported by the remote LDAP service, or abuse an LDAP wildcard expansion weakness. The unauthenticated authentication mechanism may be used for performing unauthenticated Bind with an LDAP service. The wildcard interpretation weakness allows for brute forcing a password, for an unknown but valid account, as opposed to brute forcing a combination of username and password.

More information and the technical details on Apache ActiveMQ LDAP Wildcard Interpretation can be found here.

In addition, MWR Labs found that the Apache ActiveMQ and ActiveMQ Apollo messaging brokers are susceptible to XML external entities attacks when handling subscriptions with XPath based selectors. So an attacker who is able to push and pull from a message queue can use this flaw to perform DTD-based DoS attacks, server-side request forgery or read local files, accessible to the user running the MQ broker, from the server.

More information regarding Apache ActiveMQ and ActiveMQ Apollo XML External Entity Data Parsing can be found here.

Edited by happygeek: fixed link

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.