[prev in list] [next in list] [prev in thread] [next in thread]
List: activemq-commits
Subject: (activemq-website) branch asf-site updated: Automatic Site Publish by Buildbot
From: git-site-role () apache ! org
Date: 2024-04-30 15:09:32
Message-ID: 171448977209.1732994.840690725949041408 () gitbox2-he-fi ! apache ! org
[Download RAW message or body]
This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/asf-site by this push:
new f5fc7235d Automatic Site Publish by Buildbot
f5fc7235d is described below
commit f5fc7235df40422fa594a91c25903bee334cf336
Author: buildbot <users@infra.apache.org>
AuthorDate: Tue Apr 30 15:09:29 2024 +0000
Automatic Site Publish by Buildbot
---
output/components/classic/security.html | 1 +
.../CVE-2024-32114-announcement.txt | 25 ++++++++++++++++++++++
2 files changed, 26 insertions(+)
diff --git a/output/components/classic/security.html \
b/output/components/classic/security.html index 50add1bee..e8d63a702 100644
--- a/output/components/classic/security.html
+++ b/output/components/classic/security.html
@@ -97,6 +97,7 @@
<p>See the main <a href="../../security-advisories">Security Advisories</a> page for \
details for other components and general information such as reporting new security \
issues.</p>
<ul>
+ <li><a href="../../security-advisories.data/CVE-2024-32114-announcement.txt">CVE-2024-32114</a> \
- Jolokia and REST API were not secured with default configuration</li> <li><a \
href="../../security-advisories.data/CVE-2023-46604-announcement.txt">CVE-2023-46604</a> \
- Unbounded deserialization causes ActiveMQ Classic to be vulnerable to a remote code \
execution (RCE) attack</li> <li><a \
href="../../security-advisories.data/CVE-2022-41678-announcement.txt">CVE-2022-41678</a> \
- Deserialization vulnerability on Jolokia that allows authenticated users to perform \
remote code execution (RCE)</li> <li><a \
href="../../security-advisories.data/CVE-2021-26117-announcement.txt">CVE-2021-26117</a> \
- ActiveMQ: LDAP-Authentication does not verify passwords on servers with anonymous \
bind</li>
diff --git a/output/security-advisories.data/CVE-2024-32114-announcement.txt \
b/output/security-advisories.data/CVE-2024-32114-announcement.txt new file mode \
100644 index 000000000..b39b2036f
--- /dev/null
+++ b/output/security-advisories.data/CVE-2024-32114-announcement.txt
@@ -0,0 +1,25 @@
+Affected versions:
+
+- Apache ActiveMQ 6.x before 6.1.2
+
+Description:
+
+In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context \
(where the Jolokia JMX REST API and the Message REST API are located). +
+It means that anyone can use these layers without any required authentication. \
Potentially, anyone can interact with the broker (using Jolokia JMX REST API) and/or \
produce/consume messages or purge/delete destinations (using the Message REST API).To \
mitigate, users can update the default conf/jetty.xml configuration file to add \
authentication requirement: +
+<bean id="securityConstraintMapping" \
class="org.eclipse.jetty.security.ConstraintMapping"> + <property name="constraint" \
ref="securityConstraint" /> + <property name="pathSpec" value="/" />
+</bean>
+
+Or we encourage users to upgrade to Apache ActiveMQ 6.1.2 where the default \
configuration has been updated with authentication by default. +
+This issue is being tracked as AMQ-9477
+
+References:
+
+https://activemq.apache.org/security-advisories.data/CVE-2024-32114
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2024-32114
+https://issues.apache.org/jira/browse/AMQ-9477
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic