This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/asf-site by this push: new f5fc7235d Automatic Site Publish by Buildbot f5fc7235d is described below commit f5fc7235df40422fa594a91c25903bee334cf336 Author: buildbot <us...@infra.apache.org> AuthorDate: Tue Apr 30 15:09:29 2024 +0000 Automatic Site Publish by Buildbot --- output/components/classic/security.html | 1 + .../CVE-2024-32114-announcement.txt | 25 ++++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/output/components/classic/security.html b/output/components/classic/security.html index 50add1bee..e8d63a702 100644 --- a/output/components/classic/security.html +++ b/output/components/classic/security.html @@ -97,6 +97,7 @@ <p>See the main <a href="../../security-advisories">Security Advisories</a> page for details for other components and general information such as reporting new security issues.</p> <ul> + <li><a href="../../security-advisories.data/CVE-2024-32114-announcement.txt">CVE-2024-32114</a> - Jolokia and REST API were not secured with default configuration</li> <li><a href="../../security-advisories.data/CVE-2023-46604-announcement.txt">CVE-2023-46604</a> - Unbounded deserialization causes ActiveMQ Classic to be vulnerable to a remote code execution (RCE) attack</li> <li><a href="../../security-advisories.data/CVE-2022-41678-announcement.txt">CVE-2022-41678</a> - Deserialization vulnerability on Jolokia that allows authenticated users to perform remote code execution (RCE)</li> <li><a href="../../security-advisories.data/CVE-2021-26117-announcement.txt">CVE-2021-26117</a> - ActiveMQ: LDAP-Authentication does not verify passwords on servers with anonymous bind</li> diff --git a/output/security-advisories.data/CVE-2024-32114-announcement.txt b/output/security-advisories.data/CVE-2024-32114-announcement.txt new file mode 100644 index 000000000..b39b2036f --- /dev/null +++ b/output/security-advisories.data/CVE-2024-32114-announcement.txt @@ -0,0 +1,25 @@ +Affected versions: + +- Apache ActiveMQ 6.x before 6.1.2 + +Description: + +In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Message REST API are located). + +It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker (using Jolokia JMX REST API) and/or produce/consume messages or purge/delete destinations (using the Message REST API).To mitigate, users can update the default conf/jetty.xml configuration file to add authentication requirement: + +<bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping"> + <property name="constraint" ref="securityConstraint" /> + <property name="pathSpec" value="/" /> +</bean> + +Or we encourage users to upgrade to Apache ActiveMQ 6.1.2 where the default configuration has been updated with authentication by default. + +This issue is being tracked as AMQ-9477 + +References: + +https://activemq.apache.org/security-advisories.data/CVE-2024-32114 +https://activemq.apache.org/ +https://www.cve.org/CVERecord?id=CVE-2024-32114 +https://issues.apache.org/jira/browse/AMQ-9477