This is an automated email from the ASF dual-hosted git repository.
cshannon pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/main by this push:
new 53a47d0c7 Add 2025 CVE announcements
53a47d0c7 is described below
commit 53a47d0c7f68fd1234103ec77880560a95f3c1f8
Author: Christopher L. Shannon <[email protected]>
AuthorDate: Tue Mar 3 19:43:40 2026 -0500
Add 2025 CVE announcements
---
src/components/classic/security.md | 4 ++++
.../CVE-2025-27533-announcement.txt | 26 ++++++++++++++++++++
.../CVE-2025-29953-announcement.txt | 28 ++++++++++++++++++++++
.../CVE-2025-54539-announcement.txt | 28 ++++++++++++++++++++++
.../CVE-2025-66168-announcement.txt | 28 ++++++++++++++++++++++
5 files changed, 114 insertions(+)
diff --git a/src/components/classic/security.md
b/src/components/classic/security.md
index ac1fdb571..f8036a72c 100644
--- a/src/components/classic/security.md
+++ b/src/components/classic/security.md
@@ -9,6 +9,10 @@ Details of security problems fixed in released versions of
Apache ActiveMQ Class
See the main [Security Advisories](../../security-advisories) page for details
for other components and general information such as reporting new security
issues.
+*
[CVE-2025-66168](../../security-advisories.data/CVE-2025-66168-announcement.txt)
- MQTT control packet remaining length field is not properly validated
+*
[CVE-2025-54539](../../security-advisories.data/CVE-2025-54539-announcement.txt)
- Deserialization of Untrusted Data
+*
[CVE-2025-29953](../../security-advisories.data/CVE-2025-29953-announcement.txt)
- Deserialization allowlist bypass
+*
[CVE-2025-27533](../../security-advisories.data/CVE-2025-27533-announcement.txt)
- Unchecked buffer length can cause excessive memory allocation
*
[CVE-2024-32114](../../security-advisories.data/CVE-2024-32114-announcement.txt)
- Jolokia and REST API were not secured with default configuration
*
[CVE-2023-46604](../../security-advisories.data/CVE-2023-46604-announcement.txt)
- Unbounded deserialization causes ActiveMQ Classic to be vulnerable to a
remote code execution (RCE) attack
*
[CVE-2022-41678](../../security-advisories.data/CVE-2022-41678-announcement.txt)
- Deserialization vulnerability on Jolokia that allows authenticated users to
perform remote code execution (RCE)
diff --git a/src/security-advisories.data/CVE-2025-27533-announcement.txt
b/src/security-advisories.data/CVE-2025-27533-announcement.txt
new file mode 100644
index 000000000..d734eba20
--- /dev/null
+++ b/src/security-advisories.data/CVE-2025-27533-announcement.txt
@@ -0,0 +1,26 @@
+Affected versions:
+
+- Apache ActiveMQ 6.0.0 before 6.1.6
+- Apache ActiveMQ 5.18.0 before 5.18.7
+- Apache ActiveMQ 5.17.0 before 5.17.7
+- Apache ActiveMQ 5.16.0 before 5.16.8
+
+Description:
+
+Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ.
+
+During unmarshalling of OpenWire commands the size value of buffers was not
properly validated which could lead to excessive memory allocation and be
exploited to cause a denial of service (DoS) by depleting process memory,
thereby affecting applications and services that rely on the availability of
the ActiveMQ broker when not using mutual TLS connections.
+This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0
before 5.18.7, from 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 is not
affected.
+
+Users are recommended to upgrade to version 6.1.6+, 5.19.0+, 5.18.7+, 5.17.7,
or 5.16.8 or which fixes the issue.
+
+Existing users may implement mutual TLS to mitigate the risk on affected
brokers.
+
+This issue is being tracked as AMQ-6596
+
+References:
+
+https://lists.apache.org/thread/8hcm25vf7mchg4zbbhnlx2lc5bs705hg
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2025-27533
+https://issues.apache.org/jira/browse/AMQ-6596
diff --git a/src/security-advisories.data/CVE-2025-29953-announcement.txt
b/src/security-advisories.data/CVE-2025-29953-announcement.txt
new file mode 100644
index 000000000..42508b26c
--- /dev/null
+++ b/src/security-advisories.data/CVE-2025-29953-announcement.txt
@@ -0,0 +1,28 @@
+Severity: moderate
+
+Affected versions:
+
+- Apache ActiveMQ NMS OpenWire Client before 2.1.1
+
+Description:
+
+Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS
OpenWire Client.
+
+This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1 when
performing connections to untrusted servers. Such servers could abuse the
unbounded deserialization in the client to provide malicious responses that may
eventually cause arbitrary code execution on the client. Version 2.1.0
introduced a allow/denylist feature to restrict deserialization, but this
feature could be bypassed.
+
+The .NET team has deprecated the built-in .NET binary serialization feature
starting with .NET 9 and suggests migrating away from binary serialization. The
project is considering to follow suit and drop this part of the NMS API
altogether.
+
+Users are recommended to upgrade to version 2.1.1, which fixes the issue. We
also recommend to migrate away from relying on .NET binary serialization as a
hardening method for the future.
+
+This issue is being tracked as AMQNET-844
+
+Credit:
+
+g7shot working with Trend Zero Day Initiative (finder)
+
+References:
+
+https://lists.apache.org/thread/vc1sj9y3056d3kkhcvrs9fyw5w8kpmlx
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2025-29953
+https://issues.apache.org/jira/browse/AMQNET-844
diff --git a/src/security-advisories.data/CVE-2025-54539-announcement.txt
b/src/security-advisories.data/CVE-2025-54539-announcement.txt
new file mode 100644
index 000000000..9f6f467ce
--- /dev/null
+++ b/src/security-advisories.data/CVE-2025-54539-announcement.txt
@@ -0,0 +1,28 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ NMS AMQP Client through 2.3.0
+
+Description:
+
+A Deserialization of Untrusted Data vulnerability exists in the Apache
ActiveMQ NMS AMQP Client.
+
+This issue affects all versions of Apache ActiveMQ NMS AMQP up to and
including 2.3.0, when establishing connections to untrusted AMQP servers.
Malicious servers could exploit unbounded deserialization logic present in the
client to craft responses that may lead to arbitrary code execution on the
client side.
+
+Although version 2.1.0 introduced a mechanism to restrict deserialization via
allow/deny lists, the protection was found to be bypassable under certain
conditions.
+
+In line with Microsoft’s deprecation of binary serialization in .NET 9, the
project is evaluating the removal of .NET binary serialization support from the
NMS API entirely in future releases.
+
+Mitigation and Recommendations:
+Users are strongly encouraged to upgrade to version 2.4.0 or later, which
resolves the issue. Additionally, projects depending on NMS-AMQP should migrate
away from .NET binary serialization as part of a long-term hardening strategy.
+
+Credit:
+
+Security Research Team @ Endor Labs (finder)
+
+References:
+
+https://lists.apache.org/thread/9k684j07ljrshy3hxwhj5m0xjmkz1g2n
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2025-54539
diff --git a/src/security-advisories.data/CVE-2025-66168-announcement.txt
b/src/security-advisories.data/CVE-2025-66168-announcement.txt
new file mode 100644
index 000000000..de9d276f3
--- /dev/null
+++ b/src/security-advisories.data/CVE-2025-66168-announcement.txt
@@ -0,0 +1,28 @@
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.2
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.1.9
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.2.0 before 6.2.1
+- Apache ActiveMQ All Module (org.apache.activemq:activemq-all) before 5.19.2
+- Apache ActiveMQ All Module (org.apache.activemq:activemq-all) 6.0.0 before
6.1.9
+- Apache ActiveMQ All Module (org.apache.activemq:activemq-all) 6.2.0 before
6.2.1
+- Apache ActiveMQ MQTT Module (org.apache.activemq:activemq-mqtt) before 5.19.2
+- Apache ActiveMQ MQTT Module (org.apache.activemq:activemq-mqtt) 6.0.0 before
6.1.9
+- Apache ActiveMQ MQTT Module (org.apache.activemq:activemq-mqtt) 6.2.0 before
6.2.1
+
+Description:
+
+Apache ActiveMQ does not properly validate the remaining length field which
may lead to an overflow during the decoding of malformed packets. When this
integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining
Length and subsequently misinterpret the payload as multiple MQTT control
packets which makes the broker susceptible to unexpected behavior when
interacting with non-compliant clients. This behavior violates the MQTT v3.1.1
specification, which restricts Remaini [...]
+
+This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0
+
+Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which
fixes the issue.
+
+Credit:
+
+Gai Tanaka <[email protected]> (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2025-66168
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
