NAM ActiveMQ is vulnerable ( false positive Java Keystore Security scan)

By looking at the ps –ef output it definitely gives the impression of a security vulnerability but actually it is not.

 

activem+ 29633     1  0 May29 ?        00:08:14 /opt/novell/java/bin/java -Xmx512M -Dorg.apache.activemq.UseDedicatedTaskRunner=true -Dcom.sun.management.jmxremote -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password -Djavax.net.ssl.keyStore=/opt/novell/activemq/conf/broker.ks -Djavax.net.ssl.trustStore=/opt/novell/activemq/conf/broker.ts -Dactivemq.classpath=/opt/novell/activemq/conf; -Dactivemq.home=/opt/novell/activemq -Dactivemq.base=/opt/novell/activemq -jar /opt/novell/activemq/bin/run.jar start

 

But these keystore and truststore files are not on the system.

 

msingh14:~ # ls /opt/novell/activemq/conf/broker.ks

ls: cannot access '/opt/novell/activemq/conf/broker.ks': No such file or directory

msingh14:~ # ls -l /opt/novell/activemq/conf/broker.ts

ls: cannot access '/opt/novell/activemq/conf/broker.ts': No such file or directory

 

The password and key/trust stores in process output are just place holder to run the activemq in SSL ( but we are not using SSL connection for activemq )

 

It can be work around by editing the file /opt/novell/activemq/bin/activemq.

Change the line ACTIVEMQ_OPTS="$ACTIVEMQ_OPTS $SUNJMX $SSL_OPTS" to remove the SSL_OPTS ( ACTIVEMQ_OPTS="$ACTIVEMQ_OPTS $SUNJMX ")

 

Restart the activemq and check the process status.

msingh14:/opt/novell/activemq # ps -aef | grep activemq

activem+ 11938     1  0 22:48 ?        00:00:03 /opt/novell/java/bin/java -Xmx512M -Dorg.apache.activemq.UseDedicatedTaskRunner=true -Dcom.sun.management.jmxremote -Dactivemq.classpath=/opt/novell/activemq/conf; -Dactivemq.home=/opt/novell/activemq -Dactivemq.base=/opt/novell/activemq -jar /opt/novell/activemq/bin/run.jar start