This is an automated email from the ASF dual-hosted git repository.
cshannon pushed a commit to branch activemq-5.19.x
in repository https://gitbox.apache.org/repos/asf/activemq.git
The following commit(s) were added to refs/heads/activemq-5.19.x by this push:
new fa7ded4b4d Update docs and default configs for advisory topics (#2055)
(#2058)
fa7ded4b4d is described below
commit fa7ded4b4d207386f9f57757713fa278738cee89
Author: Christopher L. Shannon <[email protected]>
AuthorDate: Sun May 31 11:46:18 2026 -0400
Update docs and default configs for advisory topics (#2055) (#2058)
Also bring the SECURITY.md file up to date
(cherry picked from commit ba73f37574dc6949ac8171cbc907979f1ebdb4e8)
---
SECURITY.md | 89 ++++++++++++++++++++--
.../org/apache/activemq/security/jaas-broker.xml | 10 ++-
assembly/src/release/conf/activemq.xml | 15 +++-
3 files changed, 104 insertions(+), 10 deletions(-)
diff --git a/SECURITY.md b/SECURITY.md
index b4949f05dc..aed5ac92ec 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,15 +1,90 @@
-# Security Policy
+# Apache ActiveMQ Security Policy
## Supported Versions
-| Version | Supported |
-| ------- | ------------------ |
-| 5.18.x | :white_check_mark: |
-| 5.17.x | :white_check_mark: |
-| 5.16.x | :white_check_mark: |
-| <= 5.15.x | :x: |
+| Version | Supported | Note |
+| ------- | ------------------ | ---- |
+| 6.2.x | :white_check_mark: | |
+| 6.1.x | :x: | |
+| 6.0.x | :x: | |
+| 5.19.x | :white_check_mark: | Except for EOL dependencies: Spring and
Jetty |
+| <= 5.18.x | :x: | |
## Reporting a Vulnerability
For information on how to report a new security problem please see
[here](https://www.apache.org/security/).
Our existing security advisories are published
[here](https://activemq.apache.org/security-advisories).
+
+## ActiveMQ's Security Severity Rating system
+
+Apache ActiveMQ has adopted Apache's Security Severity system. This rating
system
+was designed to provider users a simple range of severity to plan their updates
+accordingly.
+
+The CVSS scoring system is complex and there are gaps in the definitions that
+can lead to prolonged negotiation over security scoring.
+
+The Apache Security Severity system provides a fair balance to users and
researchers,
+while easing the effort required by the Apache ActiveMQ volunteers.
+
+## ActiveMQ Security Recommendations
+
+Apache ActiveMQ's flexibility and wide ranging set of capabilities and
features lends
+itself to being exposed to security vulnerabilities, especially ones from
third-party
+projects such as Spring and Jolokia.
+
+Apache ActiveMQ project recommends applying defense-in-depth and
security-first to provide layers of security to environments running production
workloads.
+
+Layers of security provide valuable options to prevent attacks, and to provide
a buffer for when vulnerabilities at any layer are reported to provide
reasonable time to test and apply fixes without impacting business-critical
messaging traffic.
+
+Users are advised to secure their environments
+
+1. The web console is not designed to be exposed to the public Internet.
+
+2. Require user authentication and authorization for all connectivity
including JMX, Jolokia, REST API and the web console.
+
+3. Require SSL connections on all transport connectors.
+
+4. Disable transport connectors for protocols that are not used by application
clients.
+
+5. Two-way SSL is the recommended security mechanism for identity and
authentication of application clients.
+
+6. Stay current with Java JDK updates
+
+7. Use highest possible security SSL protocol and algorithms.
+
+8. Limit inbound and outbound network connectivity to and from an ActiveMQ
server.
+
+9. Normal users need permission to create advisory topics but should generally
**not** be given permission to read/write to those topics as those messages are
meant for admins. A notable exception is for temporary destination advisory
topics. For more information see the authorization section
[here](https://activemq.apache.org/components/classic/documentation/security#authorization).
+
+## ActiveMQ Security Improvement Project
+
+The Apache ActiveMQ team has initiated a security hardening project to move
from a default configuration that is geared for developer testing and learning
to a secured-by-default stance.
+
+1. Enhancements to the SSL authentication plugin to fix wantAuth mode
+
+2. Updates to SSL handling to allow configuring per-transport and per-network
connector SSL keys
+
+3. Refactoring of Jetty service to use Jetty-provided configurations instead
of Spring-style configuration for Jetty service used by API and web console.
+
+4. [Done] Limiting XBean URI schemes
+
+5. Long-term: Replace Spring as the primary means of configuring and booting
Apache ActiveMQ servers.
+
+6. Add allow/deny lists to transport connectors to limit IP addresses
+
+7. [Done] VM Transport creation blocks the XBean factory by default
+
+## Security vs Features
+
+AI code scanning tools often mistaken designed features as a security issue.
It is the responsibility of the reporter to review AI output and verify if it's
a real issue. There has been a large number of invalid submissions that could
be avoided by simply reviewing the JMS spec and the features of the broker
itself.
+
+Some of the most common reported examples:
+
+1. JMS Selectors - An optional query parameter designed to filter messages on
a queue or topic that is not security related. It is used by clients to consume
a subset of messages on the destination instead of all messages. However, if a
client is authorized for a destination it is always free to consume all the
messages if it chooses so by simply not setting the selector. Therefore any
reports showing issues with selectors allowing the consumption of extra
messages would be considered a [...]
+
+2. ClientId - A non-secret unique identifier used to provide
once-and-only-once delivery that are designed to be used between connections
and be deleted. The JMS spec specifically allows any authorized connection to
use the same clientid as long as it isn't currently in use. Some protocols,
such as MQTT, also allow link stealing and taking over if in use.
+
+3. Durable Subscriptions - The JMS spec allows authorized connections to
connect to any existing durable subscription (combination of client id and
subscription name) as long as it is offline. Authorized clients are allowed to
delete the durable subscriptions as well even if they didn't create it.
+
+4. BlobMessages - Blob message support is a side-channel for moving large
messages with the JMS API by routing the large message through a different
endpoint such as http, sftp or scp. Clients using BlobMessages are responsible
for validating the authenticity and validity of the uri provided by the
received message before taking any action such as downloading or deleting the
file. ActiveMQ recommends using SSL secured transports, with two-way SSL as the
most preferred.
diff --git
a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml
b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml
index c36fec53e6..246921584f 100644
---
a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml
+++
b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml
@@ -45,8 +45,14 @@
<authorizationEntry topic=">" read="admins" write="admins"
admin="admins" />
<authorizationEntry topic="USERS.>" read="users" write="users"
admin="users" />
<authorizationEntry topic="GUEST.>" read="guests"
write="guests,users" admin="guests,users" />
-
- <authorizationEntry topic="ActiveMQ.Advisory.>" read="*"
write="guests,users" admin="guests,users"/>
+
+ <!-- Grant all users the ability to create/delete advisory
destinations
+ but only admins read/write -->
+ <authorizationEntry topic="ActiveMQ.Advisory.>" read="admins"
write="admins" admin="guests,users"/>
+
+ <!-- All users need full access to temporary destination
advisories -->
+ <authorizationEntry topic="ActiveMQ.Advisory.TempQueue" read="*"
write="*" admin="*"/>
+ <authorizationEntry topic="ActiveMQ.Advisory.TempTopic" read="*"
write="*" admin="*"/>
</authorizationEntries>
<!-- let's assign roles to temporary destinations. comment this
entry if we don't want any roles assigned to temp destinations -->
diff --git a/assembly/src/release/conf/activemq.xml
b/assembly/src/release/conf/activemq.xml
index d5658cd7f4..db176d4485 100644
--- a/assembly/src/release/conf/activemq.xml
+++ b/assembly/src/release/conf/activemq.xml
@@ -73,6 +73,17 @@
in bin/env (an empty value blocks ObjectMessage
deserialization
entirely; specify only packages you explicitly trust).
+ NOTE ABOUT ADVISORY TOPICS:
+ 1. All users need permission to create ActiveMQ.Advisory
destinations,
+ which is given by the "admin" acl. However, normal users
should
+ generally NOT be given access to read/write for advisories
(except temp)
+ as those messages are meant for admin users.
+ 2. A notable exception to number 1 is regular users should be
given access to
+ advisories for temporary destinations because
ActiveMQConnection uses those advisories.
+ 3. In addition, dynamic network connectors use advisories to
determine
+ consumer demand so the users that will be used to create
bridges need access
+ consumer and virtual destination consumer advisories.
+
For more information, see:
https://activemq.apache.org/security
-->
@@ -86,7 +97,9 @@
<authorizationEntries>
<authorizationEntry queue=">" read="admins"
write="admins" admin="admins" />
<authorizationEntry topic=">" read="admins"
write="admins" admin="admins" />
- <authorizationEntry topic="ActiveMQ.Advisory.>"
read="admins,users" write="admins,users" admin="admins,users" />
+ <authorizationEntry topic="ActiveMQ.Advisory.>"
read="admins" write="admins" admin="admins,users" />
+ <authorizationEntry
topic="ActiveMQ.Advisory.TempQueue" read="admins,users" write="admins,users"
admin="admins,users"/>
+ <authorizationEntry
topic="ActiveMQ.Advisory.TempTopic" read="admins,users" write="admins,users"
admin="admins,users"/>
</authorizationEntries>
</authorizationMap>
</map>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
