This is an automated email from the ASF dual-hosted git repository. mattrpav pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/main by this push: new 9d6b79478 [NO-JIRA] Update CVE information to add clarity in language and add ActiveMQ 6.0.0 as a fixed release 9d6b79478 is described below commit 9d6b7947875151f8f0e1d678709ba2900f4326d2 Author: Matt Pavlovich <m...@hyte.io> AuthorDate: Wed Nov 22 07:56:51 2023 -0600 [NO-JIRA] Update CVE information to add clarity in language and add ActiveMQ 6.0.0 as a fixed release --- src/_news/CVE-2023-46604.md | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/src/_news/CVE-2023-46604.md b/src/_news/CVE-2023-46604.md index 2afeadf84..1d757db1f 100644 --- a/src/_news/CVE-2023-46604.md +++ b/src/_news/CVE-2023-46604.md @@ -7,21 +7,22 @@ type: main --- #### Summary -[CVE-2023-46604](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) was recently announced and it has caused quite a bit of traffic on the mailing lists and in Jira from users curious about its impact on both "Classic" and Artemis clients and brokers. In short: +[CVE-2023-46604](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) was recently announced and it has caused quite a bit of traffic on the mailing lists and in Jira from users curious about its impact on both ActiveMQ Classic and ActiveMQ Artemis clients and brokers. In short: - - **Users of both "Classic" and Artemis brokers are recommended to upgrade.** + - **Users of both ActiveMQ Classic and ActiveMQ Artemis brokers are recommended to upgrade.** - **Users of any Java-based OpenWire client (e.g. Maven dependency on `activemq-client`) are recommended to upgrade (regardless of which broker you're using).** New releases for all current branches were made available on the day the CVE was announced: -"Classic": +ActiveMQ Classic: - - [5.15.16](https://activemq.apache.org/activemq-5015016-release) (last release from this branch) - - [5.16.7](https://activemq.apache.org/activemq-5016007-release) (last release from this branch) - - [5.17.6](https://activemq.apache.org/activemq-5017006-release) + - [6.0.0](https://activemq.apache.org/activemq-6000000-release) - [5.18.3](https://activemq.apache.org/activemq-5018003-release) + - [5.17.6](https://activemq.apache.org/activemq-5017006-release) + - [5.16.7](https://activemq.apache.org/activemq-5016007-release) (last release from this branch) + - [5.15.16](https://activemq.apache.org/activemq-5015016-release) (last release from this branch) -Artemis: +ActiveMQ Artemis: - [2.31.2](https://activemq.apache.org/components/artemis/download/) @@ -34,17 +35,17 @@ As stated in the official CVE description: Three things are required to exploit this vulnerability: 1. Network access - 1. A manipulated OpenWire "command" (used to instantiate an arbitrary class on the classpath with a `String` parameter) + 1. A manipulated OpenWire command (used to instantiate an arbitrary class on the classpath with a `String` parameter) 1. A class on the classpath which can execute arbitrary code simply by instantiating it with a `String` parameter The manipulated command (i.e. #2) can be sent by a client to a broker or from a broker to a client so **both** are vulnerable. -#### "Classic" Details +#### ActiveMQ Classic Details -The "Classic" broker ships with a handful of Spring dependencies including [`org.springframework.context.support.ClassPathXmlApplicationContext`](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html) which is used to run Spring applications. This class is not only present on the broker, but it is an extremely common client-side dependency as well. It has [a constructor](https://docs.spring.io/spring-frame [...] +The ActiveMQ Classic broker ships with a handful of Spring dependencies including [`org.springframework.context.support.ClassPathXmlApplicationContext`](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html) which is used to run Spring applications. This class is not only present on the broker, but it is an extremely common client-side dependency as well. It has [a constructor](https://docs.spring.io/sprin [...] The only known exploit of this vulnerability uses this `ClassPathXmlApplicationContext` to load a malicious XML application configuration file from somewhere on the network via HTTP. This malicious XML specifically defines the arbitrary code to be run on the machine with the vulnerability (i.e. broker or client). -#### Artemis Details +#### ActiveMQ Artemis Details -Artemis supports the OpenWire protocol and therefore has dependencies from "Classic" for this support. These dependencies include the vulnerable code. However, Artemis doesn't ship Spring so there is currently no known exploit. Regardless, upgrading is still recommended. +ActiveMQ Artemis supports the OpenWire protocol and therefore has dependencies from ActiveMQ Classic for this support. These dependencies include the vulnerable code. However, Artemis doesn't ship Spring so there is currently no known exploit. Regardless, upgrading is still recommended.