NAM ActiveMQ is vulnerable ( false positive Java Keystore Security scan)

  • 7023095
  • 13-Jun-2018
  • 13-Jun-2018

Environment


Access Manager 4.4
Access Manager 4.3

Situation

Customers ran a security scan on AG and their tool found an alleged vulnerability related to being able to retrieve the Java Keystore Password.

Java SSL KeyStore Password Disclosure Vulnerability

The execution of ps -ef shows that it uses an insecure configuration due to use of ssl.keyStorePassword.The successful execution of this vulnerability allows an attacker to get access to the password used by Java Keystore


activem+ 29633     1  0 May29 ?        00:08:14 /opt/novell/java/bin/java -Xmx512M -Dorg.apache.activemq.UseDedicatedTaskRunner=true -Dcom.sun.management.jmxremote -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password -Djavax.net.ssl.keyStore=/opt/novell/activemq/conf/broker.ks -Djavax.net.ssl.trustStore=/opt/novell/activemq/conf/broker.ts -Dactivemq.classpath=/opt/novell/activemq/conf; -Dactivemq.home=/opt/novell/activemq -Dactivemq.base=/opt/novell/activemq -jar /opt/novell/activemq/bin/run.jar start

Resolution

By looking at the ps –ef output it definitely gives the impression of a security vulnerability but actually it is not.

 

activem+ 29633     1  0 May29 ?        00:08:14 /opt/novell/java/bin/java -Xmx512M -Dorg.apache.activemq.UseDedicatedTaskRunner=true -Dcom.sun.management.jmxremote -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password -Djavax.net.ssl.keyStore=/opt/novell/activemq/conf/broker.ks -Djavax.net.ssl.trustStore=/opt/novell/activemq/conf/broker.ts -Dactivemq.classpath=/opt/novell/activemq/conf; -Dactivemq.home=/opt/novell/activemq -Dactivemq.base=/opt/novell/activemq -jar /opt/novell/activemq/bin/run.jar start

 

But these keystore and truststore files are not on the system.

 

msingh14:~ # ls /opt/novell/activemq/conf/broker.ks

ls: cannot access '/opt/novell/activemq/conf/broker.ks': No such file or directory

msingh14:~ # ls -l /opt/novell/activemq/conf/broker.ts

ls: cannot access '/opt/novell/activemq/conf/broker.ts': No such file or directory

 

The password and key/trust stores in process output are just place holder to run the activemq in SSL ( but we are not using SSL connection for activemq )

 

It can be work around by editing the file /opt/novell/activemq/bin/activemq.

Change the line ACTIVEMQ_OPTS="$ACTIVEMQ_OPTS $SUNJMX $SSL_OPTS" to remove the SSL_OPTS ( ACTIVEMQ_OPTS="$ACTIVEMQ_OPTS $SUNJMX ")

 

Restart the activemq and check the process status.

msingh14:/opt/novell/activemq # ps -aef | grep activemq

activem+ 11938     1  0 22:48 ?        00:00:03 /opt/novell/java/bin/java -Xmx512M -Dorg.apache.activemq.UseDedicatedTaskRunner=true -Dcom.sun.management.jmxremote -Dactivemq.classpath=/opt/novell/activemq/conf; -Dactivemq.home=/opt/novell/activemq -Dactivemq.base=/opt/novell/activemq -jar /opt/novell/activemq/bin/run.jar start

 

Feedback service temporarily unavailable. For content questions or problems, please contact Support.