(activemq-website) branch main updated: [NO-JIRA] Update CVE information to add clarity in language and add ActiveMQ 6.0.0 as a fixed release

[mattrpav]

This is an automated email from the ASF dual-hosted git repository.

mattrpav pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-website.git


The following commit(s) were added to refs/heads/main by this push:
     new 9d6b79478 [NO-JIRA] Update CVE information to add clarity in language 
and add ActiveMQ 6.0.0 as a fixed release
9d6b79478 is described below

commit 9d6b7947875151f8f0e1d678709ba2900f4326d2
Author: Matt Pavlovich <m...@hyte.io>
AuthorDate: Wed Nov 22 07:56:51 2023 -0600

    [NO-JIRA] Update CVE information to add clarity in language and add 
ActiveMQ 6.0.0 as a fixed release
---
 src/_news/CVE-2023-46604.md | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/src/_news/CVE-2023-46604.md b/src/_news/CVE-2023-46604.md
index 2afeadf84..1d757db1f 100644
--- a/src/_news/CVE-2023-46604.md
+++ b/src/_news/CVE-2023-46604.md
@@ -7,21 +7,22 @@ type: main
 ---
 #### Summary
 
-[CVE-2023-46604](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) was recently 
announced and it has caused quite a bit of traffic on the mailing lists and in 
Jira from users curious about its impact on both "Classic" and Artemis clients 
and brokers. In short:
+[CVE-2023-46604](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) was recently 
announced and it has caused quite a bit of traffic on the mailing lists and in 
Jira from users curious about its impact on both ActiveMQ Classic and ActiveMQ 
Artemis clients and brokers. In short:
 
-  - **Users of both "Classic" and Artemis brokers are recommended to upgrade.**
+  - **Users of both ActiveMQ Classic and ActiveMQ Artemis brokers are 
recommended to upgrade.**
   - **Users of any Java-based OpenWire client (e.g. Maven dependency on 
`activemq-client`) are recommended to upgrade (regardless of which broker 
you're using).**
 
 New releases for all current branches were made available on the day the CVE 
was announced:
 
-"Classic":
+ActiveMQ Classic:
 
- - [5.15.16](https://activemq.apache.org/activemq-5015016-release) (last 
release from this branch)
- - [5.16.7](https://activemq.apache.org/activemq-5016007-release) (last 
release from this branch)
- - [5.17.6](https://activemq.apache.org/activemq-5017006-release)
+ - [6.0.0](https://activemq.apache.org/activemq-6000000-release)
  - [5.18.3](https://activemq.apache.org/activemq-5018003-release)
+ - [5.17.6](https://activemq.apache.org/activemq-5017006-release)
+ - [5.16.7](https://activemq.apache.org/activemq-5016007-release) (last 
release from this branch)
+ - [5.15.16](https://activemq.apache.org/activemq-5015016-release) (last 
release from this branch)
 
-Artemis:
+ActiveMQ Artemis:
 
  - [2.31.2](https://activemq.apache.org/components/artemis/download/)
 
@@ -34,17 +35,17 @@ As stated in the official CVE description:
 Three things are required to exploit this vulnerability:
 
  1. Network access
- 1. A manipulated OpenWire "command" (used to instantiate an arbitrary class 
on the classpath with a `String` parameter)
+ 1. A manipulated OpenWire command (used to instantiate an arbitrary class on 
the classpath with a `String` parameter)
  1. A class on the classpath which can execute arbitrary code simply by 
instantiating it with a `String` parameter
  
 The manipulated command (i.e. #2) can be sent by a client to a broker or from 
a broker to a client so **both** are vulnerable.
 
-#### "Classic" Details
+#### ActiveMQ Classic Details
 
-The "Classic" broker ships with a handful of Spring dependencies including 
[`org.springframework.context.support.ClassPathXmlApplicationContext`](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html)
 which is used to run Spring applications. This class is not only present on 
the broker, but it is an extremely common client-side dependency as well. It 
has [a constructor](https://docs.spring.io/spring-frame [...]
+The ActiveMQ Classic broker ships with a handful of Spring dependencies 
including 
[`org.springframework.context.support.ClassPathXmlApplicationContext`](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html)
 which is used to run Spring applications. This class is not only present on 
the broker, but it is an extremely common client-side dependency as well. It 
has [a constructor](https://docs.spring.io/sprin [...]
 
 The only known exploit of this vulnerability uses this 
`ClassPathXmlApplicationContext` to load a malicious XML application 
configuration file from somewhere on the network via HTTP. This malicious XML 
specifically defines the arbitrary code to be run on the machine with the 
vulnerability (i.e. broker or client).
 
-#### Artemis Details
+#### ActiveMQ Artemis Details
 
-Artemis supports the OpenWire protocol and therefore has dependencies from 
"Classic" for this support. These dependencies include the vulnerable code. 
However, Artemis doesn't ship Spring so there is currently no known exploit. 
Regardless, upgrading is still recommended.
+ActiveMQ Artemis supports the OpenWire protocol and therefore has dependencies 
from ActiveMQ Classic for this support. These dependencies include the 
vulnerable code. However, Artemis doesn't ship Spring so there is currently no 
known exploit. Regardless, upgrading is still recommended.