After some additional internal discussion we'll be updating the description of the CVE as well as the details on the ActiveMQ website to revise our guidance and make this potential exploit more clear.
Thanks for following up! Justin On Tue, Nov 7, 2023 at 4:07 AM Colm O hEigeartaigh <[email protected]> wrote: > Thanks JB. What's to stop a malicious broker trying to recreate the > vulnerability then by sending a crafted message to a client? > > Colm. > > On Mon, Nov 6, 2023 at 2:53 PM Jean-Baptiste Onofré <[email protected]> > wrote: > > > > Hi Colm > > > > It's on the broker side, not on the client side. However, the change > > is also on client side as it's on the openwire marshalling (shared > > between the client and the broker). > > > > Regards > > JB > > > > On Mon, Nov 6, 2023 at 3:28 PM Colm O hEigeartaigh <[email protected]> > wrote: > > > > > > Hi, > > > > > > Security vendors (e.g. > > > https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEACTIVEMQ-6039483) are > > > flagging CVE-2023-46604 against activemq-client (I guess by looking at > > > the changes to activemq-client > > > > https://github.com/apache/activemq/commit/9905e2a5bf9862a049f94ce0a2465b0c7ad52436 > ). > > > However the explanation on > > > https://activemq.apache.org/news/cve-2023-46604 only mentions that the > > > broker as being vulnerable " The vulnerability may allow a remote > > > attacker with network access to a broker to run arbitrary shell > > > commands "... > > > > > > Is a client of ActiveMQ vulnerable to this CVE if for example it > > > parses a malicious message from the broker? Or is it indeed only the > > > broker who is vulnerable? > > > > > > Thanks, > > > > > > Colm. > >
