lead to JMX being enabled this email
> > >
> > > here is the content about this email:
> > >
> > > Severity: High
> > > Vendor: The Apache Software Foundation
> > > Versions Affected:
> > > Apache TomEE 8.0.0-M1 - 8.0.3
> > > A
gt; If Apache TomEE is configured to use the embedded ActiveMQ broker, and the
> > broker config is misconfigured, a JMX port is opened on TCP port 1099,
> > which does not include authentication. CVE-2020-11969 previously addressed
> > the creation of the JMX management interface,
t;>>>>> Kind Regards
>>>>>>
>>>>>> Jon
>>>>>>
>>>>>>
>>>>>> On Mon, Dec 21, 2020 at 2:37 PM r00t 4dm wrote:
>>>>>>
>>>>>>> Hello,
>>>
t;>> fix
>>>>> did not cover this edge case.
>>>>> Mitigation:
>>>>> - Upgrade to TomEE 7.0.9 or later
>>>>> - Upgrade to TomEE 7.1.4 or later
>>>>> - Upgrade to TomEE 8.0.4 or later
>>>>> Ensure the correct VM broker name is used consistently across the
>>>>> resource
>>>>> adapter config.
>>>>> Credit: Thanks to Frans Henskens for discovering and reporting this
>>>>> issue.
>>>>
>>>>
>>>> So, I using TomEE 7.1.3 to test this vulnerability, i found
>>>> this vulnerability is Fake.
>>>> The Frans Henskens have some wrong.
>>>>
>>>> tomee.xml
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> BrokerXmlConfig=broker:(vm://localhost:61616)
>>>> ServerUrl = vm://localhost?async=true
>>>>
>>>>
>>>>
>>>> i use this to startup tomee 7.1.3.
>>>>
>>>> about CVE-2020-11969 security patch code in ActiveMQ5Factory.java
>>>> This is done before start (managementContext.etCreateConnector(false);)
>>>>
>>>> So, let me see
>>>> it can't call createConnector() function, because before start() is
>>>> already managementContext.setCreateConnector(false);
>>>> So the 1099 An unauthorized JMX service will not be enabled.
>>>> CVE-2020-13931 is Fake vulnerability
>>>>
>>>>
>>>>
>>>>
>>>> Did you test exactly what he said was a safety issue?
>>>> Looking forward to your reply.
>>>>
>>>> r00t4dm
>>>> A-TEAM of Legendsec at Qi'anxin Group
>>>>
>>>
Hi Jonathan
That's a perfect approach and reply suggestion, go for it! I wonder too
sometimes if this is a tactic in order for a lazy researcher to try to gain
a reproducer.
(I wouldn't worry about cc'ing in private@tomee though, you probably don't
want to get that list too polluted, dev/user
