I'd like to propose the following approach for the WebConsole: - AMQ adopts the position that the web console is for internal use only and that exposing it to third parties is not recommended due to possible vulnerabilities (I've personally always held this view and made this recommendation to all). It is a "web console" for management and control of the broker - not a messaging application front-end. - We update the ActiveMQ website to clearly document this position and warn folks that it is enabled by default out-of-the-box - As CVEs are reported, we open jira tickets with the core details, and respond to the reporter with thanks for their contribution and that we may address at a future time, then reject the CVE with the statement that web console vulnerabilities are recognized and the solution is to firewall the web console
In addition, for those that feel a strong need to fully secure the broker for whatever reason, how about we look to simplify the work of disabling the console? If there already exists a simple way, please let me know and I'll update this page, http://activemq.apache.org/web-console.html, with those instructions. Please let me know your thoughts. Art On Thu, Apr 26, 2018 at 12:58 PM, Daniel Kulp <[email protected]> wrote: > > > > Furthermore, there are certain things that require PMC members to > > handle so there would still need to be people on the PMC willing to > > support the web console as well (which hasn't really been the case > > other than a few minor fixes I have committed the past couple years). > > That’s something that is easily fixed by the PMC if someone steps up to > work on the console: vote them into the PMC. > > > -- > Daniel Kulp > [email protected] - http://dankulp.com/blog > Talend Community Coder - http://coders.talend.com > >
