This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/asf-site by this push: new 2662db622 Automatic Site Publish by Buildbot 2662db622 is described below commit 2662db622e0f7e91892b26174214ffe3c7456dc2 Author: buildbot <us...@infra.apache.org> AuthorDate: Fri Oct 27 14:51:29 2023 +0000 Automatic Site Publish by Buildbot --- .../CVE-2023-46604-announcement.txt | 25 ++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/output/security-advisories.data/CVE-2023-46604-announcement.txt b/output/security-advisories.data/CVE-2023-46604-announcement.txt new file mode 100644 index 000000000..97f4b80aa --- /dev/null +++ b/output/security-advisories.data/CVE-2023-46604-announcement.txt @@ -0,0 +1,25 @@ +Affected versions: + +- Apache ActiveMQ 5.18.0 before 5.18.3 +- Apache ActiveMQ 5.17.0 before 5.17.6 +- Apache ActiveMQ 5.16.0 before 5.16.7 +- Apache ActiveMQ before 5.15.16 +- Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3 +- Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6 +- Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7 +- Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16 + +Description: + +Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. + +Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue. + +This issue is being tracked as AMQ-9370 + +References: + +https://activemq.apache.org/security-advisories.data/CVE-2023-46604 +https://activemq.apache.org/ +https://www.cve.org/CVERecord?id=CVE-2023-46604 +https://issues.apache.org/jira/browse/AMQ-9370