我们在应用程序中使用了activemq 5.14,最近的内部漏洞评估显示,在端口61614上启用了http-options-method-enabled。
下面是来自activemq.xml的条目。
<transportConnector name="ws" uri="ws://0.0.0.0:61614?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
curl "http://XX.xX.xxx.xxx:61614/" -X OPTIONS -v
* About to connect() to XX.xX.xxx.xxx port 61614 (#0)
* Trying XX.xX.xxx.xxx... connected
* Connected to XX.xX.xxx.xxx (XX.xX.xxx.xxx) port 61614 (#0)
> OPTIONS / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: XX.xX.xxx.xxx:61614
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 11 Apr 2019 02:02:48 GMT
< Allow: GET, HEAD, TRACE, OPTIONS
< Content-Length: 0
< Server: Jetty(9.2.13.v20150730)
<
* Connection #0 to host XX.xX.xxx.xxx left intact
* Closing connection #0
我对此进行了研究,发现活动mq使用嵌入式码头,并尝试按如下所示在jetty.xml中添加安全约束。
<bean id="httpMethodSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="Restricted" />
<!--<property name="roles" value="admin" /> -->
<!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" />
</bean>
<bean id="httpMethodSecurityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="httpMethodSecurityConstraint" />
<property name="method" value="OPTIONS" />
<property name="pathSpec" value="/*" />
</bean>
<bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
<property name="loginService" ref="securityLoginService" />
<property name="authenticator">
<bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
</property>
<property name="constraintMappings">
<list>
<ref bean="httpMethodSecurityConstraintMapping" />
</list>
</property>
<property name="handler" ref="secHandlerCollection" />
</bean>
但是,以下结果仍然返回http状态200。
卷曲“ http://XX.xX.xxx.xxx:61614/” -X选项-v
任何有关此问题的帮助,将大有帮助。
谢谢。