ActiveMQ Artemis supports the OpenWire protocol via dependencies from ActiveMQ "Classic." Until ActiveMQ Artemis 2.31.1 those dependencies contain the vulnerable code which means ActiveMQ Artemis ships the vulnerable code. However, the only known exploit of this vulnerability requires Spring dependencies as well which exist in ActiveMQ "Classic" but *do not exist* in ActiveMQ Artemis. So while ActiveMQ Artemis is vulnerable, there is no known exploit and no exploit may actually be possible.
As I understand it, the CVE doesn't list all the pieces of software that depend upon the vulnerable libraries as there's no way to actually know every such piece of software. Consider the Log4Shell vulnerability (i.e. CVE-2021-44228) from a few years back. The CVE didn't list all the software that depended on the affected versions of Log4j. Justin On Thu, Nov 2, 2023 at 3:13 AM Thorsten Meinl <thorsten.me...@knime.com> wrote: > Hi, > > Am Mittwoch, dem 01.11.2023 um 14:29 -0500 schrieb Justin Bertram: > > ActiveMQ Artemis 2.31.1 was released October 25 (i.e. right before > > the CVE > > was announced) and it contains libraries from ActiveMQ "Classic" > > 5.17.6 > > which are not vulnerable to CVE-2023-46604. > Does this imply that Artemis is potentially also affected by this > vulnerability? The CVE and all other sources indicate that only > ActiveMQ is affected. > > > Thanks, > > Thorsten > > > > > On Wed, Nov 1, 2023 at 1:56 PM Steigerwald, Aaron > > <asteigerw...@brandesassociates.com.invalid> wrote: > > > > > Hello, > > > > > > Does anyone have an estimate for how soon Apache Artemis will be > > > delivered > > > with Apache ActiveMQ artifacts that address the critical CVE-2023- > > > 46604 > > > "Apache ActiveMQ is vulnerable to Remote Code Execution" fix? > > > > > > Fix details can be found here: > > > > > > https://github.com/advisories/GHSA-crg9-44h2-xw35 > > > > > > Thank you, > > > Aaron > > > > > -- > Dr.-Ing. Thorsten Meinl > KNIME AG > Talacker 50 > 8001 Zurich, Switzerland > > >
