Security Advisory Important: Fuse Message Broker 5.5.1 security update

Advisory: RHSA-2013:1221-1
Type: Security Advisory
Severity: Important
Issued on: 2013-09-09
Last updated on: 2013-09-09
Affected Products:
CVEs ( CVE-2013-3060


An update for the Apache ActiveMQ component of Fuse Message Broker 5.5.1
that fixes one security issue is now available from the Red Hat Customer

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Fuse Message Broker is a messaging platform based on Apache ActiveMQ that
provides SOA infrastructure to connect processes across heterogeneous

It was found that, by default, the Apache ActiveMQ web console did not
require authentication. A remote attacker could use this flaw to modify the
state of the Apache ActiveMQ environment, obtain sensitive information, or
cause a denial of service. (CVE-2013-3060)

This update delivers a README file which describes how to manually
configure an XML properties file to fix this flaw. Back up existing Fuse
Message Broker configuration files before making changes.


The References section of this erratum contains a download link (you must
log in to download the update). Back up existing Fuse Message Broker
configuration files before making changes.

Updated packages

Bugs fixed (see bugzilla for more information)

955908 - CVE-2013-3060 activemq: Unauthenticated access to web console


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at