THALES GROUP LIMITED DISTRIBUTION to email recipients Hello everyone,
Forget my last post. If I look at CVE-2026-34197, it requires user/password authentication on the ActiveMQ console using the following URL: http://localhost:8161/admin and then a call http://localhost:8161/api/jolokia/. I think that if we use any JMS APIs in our code, ActiveMQ will be started, right ? The question is: does the ActiveMQ console start as well ? If yes, is there a way to forbid the path api/jolokia access ? Best Regards. -----Original Message----- From: COURTAULT Francois <[email protected]> Sent: mercredi 27 mai 2026 18:22 To: [email protected] Subject: RE: [ANNOUNCE] Apache TomEE 10.1.5 THALES GROUP LIMITED DISTRIBUTION to email recipients Hello Richard, If I look at CVE-2026-34197, it requires user/password authentication using the following URL: http://localhost:8161/admin and then a call http://localhost:8161/api/jolokia/. But it seems that TomEE 10.0.1 doesn't start the ActiveMQ console. So, this CVE is not present in TomEE, right ? Is there a way, using TomEE, to start the ActiveMQ console ? If there is none then TomEE isn't affected by this CVE, right ? Best Regards. -----Original Message----- From: Richard Zowalla <[email protected]> Sent: mardi 5 mai 2026 12:32 To: [email protected] Subject: Re: [ANNOUNCE] Apache TomEE 10.1.5 Just replace the related jar files in the distribution. > Am 05.05.2026 um 12:27 schrieb COURTAULT Francois > <[email protected]>: > > THALES GROUP LIMITED DISTRIBUTION to email recipients > > Hello, > > Congrats for this new release 😊 > > Regarding ActiveMQ, I agree that ActiveMQ 6.2.5 has been released 15 days > after 6.2.4 so quite difficult to integrate in TomEE 10.1.5. > Do you think there is high risk if I update ActiveMQ to 6.2.5 instead of > 6.2.4 (7 jars to update) ? > > Why not integrating neethi 3.2.2 instead of neethi 3.2.1 which fixes 1 > critical CVE: CVE-2026-42403 ? Is it because it hasn't been tag as Latest ? > Same question: high risk if I update neethi 3.2.1 by neethi 3.2.2 ? > > Best Regards. > > -----Original Message----- > From: Markus Jung <[email protected]> > Sent: mardi 5 mai 2026 10:30 > To: [email protected]; [email protected]; [email protected] > Subject: [ANNOUNCE] Apache TomEE 10.1.5 > > The Apache TomEE team is pleased to announce the general availability of > TomEE 10.1.5 > > Apache TomEE delivers enterprise application containers and services based > on, but not limited to the Enterprise JavaBeans Specification and > Java/Jakarta Enterprise Edition Specifications. > > This release ships fixes related to the implementation of the > @OpenIdAuthenticationMechanismDefinition, fixes an issue with resource > construction, has a small improvement in logging, and features the usual > dependency upgrades. > > Full release notes: https://tomee.apache.org/10.1.5/release-notes.html > > Downloads are available at: https://tomee.apache.org/download.html > > - The Apache TomEE Team > >
