CVE-2016-3088
unknown
KEV
CVSS v3
—
CVSS v2
—
VIR risk
2.5
Description
The Fileserver web application in Apache ActiveMQ allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request
CISA KEV
- Vendor
- Apache
- Product
- ActiveMQ
- Due date
- 2022-08-10
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — https://nvd.nist.gov/vuln/detail/CVE-2016-3088
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-3088
Exploits
Exploit-DB
- EDB-40857 · remote · windows
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bullseye | fixed | 5.14.0+dfsg-1 |
| debian | trixie | fixed | 5.14.0+dfsg-1 |
| debian | bookworm | fixed | 5.14.0+dfsg-1 |
| debian | sid | fixed | 5.14.0+dfsg-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.activemq:activemq-client | >=5.0.0,<5.14.0 | 5.14.0 |
References
- https://security-tracker.debian.org/tracker/CVE-2016-3088
- https://nvd.nist.gov/vuln/detail/CVE-2016-3088
- https://github.com/apache/activemq/commit/3dd86d04e8b90ba309819317d19e7260d414d9e7
- https://issues.apache.org/jira/browse/AMQ-6276
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/f956ea38e4da2e2c1e7131e6f91e41754852f5a4861d1a14ca5ca78a%40%3Cusers.activemq.apache.org%3E
- https://lists.apache.org/thread.html/f956ea38e4da2e2c1e7131e6f91e41754852f5a4861d1a14ca5ca78a@%3Cusers.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
- https://stackoverflow.com/questions/67140241/configuring-activemq-webconsole-to-redirect-http-to-https
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3088
- https://www.exploit-db.com/exploits/42283
- http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
- http://rhn.redhat.com/errata/RHSA-2016-2036.html
- http://www.securitytracker.com/id/1035951
- http://www.zerodayinitiative.com/advisories/ZDI-16-356
- http://www.zerodayinitiative.com/advisories/ZDI-16-357
Verify integrity in audit chain (admin only). AS-IS.