activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jbono...@apache.org
Subject [activemq-website] branch master updated: Publish CVE-2020-13920
Date Thu, 10 Sep 2020 04:18:10 GMT
This is an automated email from the ASF dual-hosted git repository.

jbonofre pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/activemq-website.git


The following commit(s) were added to refs/heads/master by this push:
     new 5194fb8  Publish CVE-2020-13920
5194fb8 is described below

commit 5194fb8d2bc945ba747d883b97a59dacbdae327b
Author: jbonofre <jbonofre@apache.org>
AuthorDate: Thu Sep 10 06:13:12 2020 +0200

    Publish CVE-2020-13920
---
 .../CVE-2020-13920-announcement.txt                 | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/src/security-advisories.data/CVE-2020-13920-announcement.txt b/src/security-advisories.data/CVE-2020-13920-announcement.txt
new file mode 100644
index 0000000..b201e34
--- /dev/null
+++ b/src/security-advisories.data/CVE-2020-13920-announcement.txt
@@ -0,0 +1,21 @@
+CVE-2020-13920: Apache ActiveMQ JMX is vulnerable to a MITM attack
+
+Severity: Moderate
+
+Vendor: The Apache Software Foundation
+
+Affected Version: Apache ActiveMQ version prior to 5.15.12
+
+Vulnerability details:
+Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI
+registry and binds the server to the "jmxrmi" entry. It is possible
+to connect to the registry without authentication and call the rebind
+method to rebind jmxrmi to something else. If an attacker creates another
+server to proxy the original, and bound that, he effectively becomes a 
+man in the middle and is able to intercept the credentials when an user
+connects.
+
+Mitigation:
+Upgrade to Apache ActiveMQ 5.15.12
+
+Credit: Jonathan Gallimore & Colm O hEigeartaigh


Mime
View raw message