The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.

Versions of Apache ActiveMQ 5.x prior to 5.13.2 are affected by a flaw that is due to missing 'X-Frame-Options' headers in HTTP responses.  This may potentially allow a context-dependent attacker to conduct a clickjacking attack.

Michael Furman reports :

The web-based administration console does not set the X-Frame-Options header in HTTP responses. This allows the console to be embedded in a frame or iframe which could then be used to cause a user to perform an unintended action in the console.

The version of Apache ActiveMQ running on the remote host is affected by a clickjacking vulnerability in the web-based administration console due to not setting the X-Frame-Options header in HTTP responses. A remote attacker can exploit this to trick a user into executing administrative tasks.

Note that this vulnerability was partially fixed in 5.11.4 and 5.12.3 by setting the X-Frame-Options header for Servlets and JSPs but not static content. Therefore, the fix for these versions is incomplete, and it is recommended that users upgrade to 5.13.2 or later.

The version of Apache ActiveMQ running on the remote host is 5.x prior to 5.13.2. It is, therefore, affected by multiple vulnerabilities :

  - A clickjacking vulnerability exists in the web-based     administration console due to not setting the     X-Frame-Options header in HTTP responses. A remote     attacker can exploit this to trick a user into executing     administrative tasks. (CVE-2016-0734)

  - Multiple cross-site scripting vulnerabilities exists in     the web-based administration console to improper     validation of user-supplied input. A remote attacker can     exploit these, via a specially crafted request, to     execute arbitrary script code in a user's browser     session. (CVE-2016-0782)

Note that CVE-2016-0734 was partially fixed in 5.11.4 and 5.12.3 by setting the X-Frame-Options header for Servlets and JSPs but not static content. Therefore, the fix for these versions is incomplete, and it is recommended that users upgrade to 5.13.2 or later.

ID	Name	Product	Family	Severity
9318	Apache ActiveMQ 5.x < 5.13.2 Clickjacking	Nessus Network Monitor	CGI	low
90234	FreeBSD : activemq -- Web Console Clickjacking (950b2d60-f2a9-11e5-b4a9-ac220bdcec59)	Nessus	FreeBSD Local Security Checks	medium
90026	Apache ActiveMQ Web Console Missing X-Frame-Options Clickjacking	Nessus	CGI abuses	medium
90025	Apache ActiveMQ 5.x < 5.13.2 Multiple Vulnerabilities	Nessus	CGI abuses	medium

Detections

Analytics

CVE-2016-0734

medium

Tenable Plugins

low

medium

medium

medium