Hi Arturo, It looks like your initial theory is correct: ActiveMQ announced support for Jolokia in the version 5.8.0 (https://activemq.apache.org/components/classic/download/classic-05-08-00 ) You can find the corresponding jira ticket using this link: https://issues.apache.org/jira/browse/AMQ-4219
Browsing the code, you can also see that Christopher L. Shannon fixed the issue using jolokia-access.xml ( I was not able to find this file in the previous versions of ActiveMQ, including 5.6) https://issues.apache.org/jira/browse/AMQ-9201 https://github.com/apache/activemq/commit/6120169e5 If you have added the Jolokia plugin to your ActiveMQ 5.6 deployment, you may want to replicate what Christopher did with the jolokia-access.xml file to restrict the actions allowed to jolokia. Best regards, Samir ________________________________ From: Arturo Borrero Gonzalez <art...@debian.org> Sent: November 24, 2024 10:34 To: dev@activemq.apache.org <dev@activemq.apache.org> Subject: about CVE-2022-41678 in activemq 5.6.0 Hi there, As part of the debian (E)LTS initiative, I'm working on trying to fix CVE-2022-41678 on the activemq packages in Debian. In particular, I'm interested in Debian Jessie and activemq 5.6.0. The patch [0] to correct the jolokia config doesn't apply to the source code we have in Debian for activemq 5.6.0, and I suspect this is because that version may not include the jolokia integration. I wanted to confirm this theory, but I'm not familiar enough with the activemq codebase, or the history of older releases. Please, let me know how you think we should deal with CVE-2022-41678 in activemq 5.6.0. thanks, regards. [0] https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Factivemq%2Fcommit%2Fbf65929fdc607d5bb953a507c2f0c7256ae8e5b6&data=05%7C02%7C%7C8c341ed15e6b4970b15f08dd0cbf3082%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638680737470216839%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=mf1kUUScPAihq9JAIJ4DaH0mLbpwE8PyEvdPjdfbwQE%3D&reserved=0<https://github.com/apache/activemq/commit/bf65929fdc607d5bb953a507c2f0c7256ae8e5b6> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@activemq.apache.org For additional commands, e-mail: dev-h...@activemq.apache.org For further information, visit: https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcontact&data=05%7C02%7C%7C8c341ed15e6b4970b15f08dd0cbf3082%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638680737470241340%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=o26mZqIdvgkUCjN4p5sxK982NSLMkekYZZpDVvbtddU%3D&reserved=0<https://activemq.apache.org/contact>
