activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [activemq-website] branch master updated: Publish CVE-2020-11998
Date Thu, 10 Sep 2020 09:18:17 GMT
This is an automated email from the ASF dual-hosted git repository.

jbonofre pushed a commit to branch master
in repository

The following commit(s) were added to refs/heads/master by this push:
     new 68b440b  Publish CVE-2020-11998
68b440b is described below

commit 68b440b784f55041828b0ab6edff70cb3e62fa75
Author: jbonofre <>
AuthorDate: Thu Sep 10 11:17:48 2020 +0200

    Publish CVE-2020-11998
 src/components/classic/                 |  1 +
 .../CVE-2020-11998-announcement.txt                | 23 ++++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/src/components/classic/ b/src/components/classic/
index a9360e8..b3b7459 100644
--- a/src/components/classic/
+++ b/src/components/classic/
@@ -9,6 +9,7 @@ Details of security problems fixed in released versions of Apache ActiveMQ
5.x a
 See the main [Security Advisories](../../security-advisories) page for details for other
components and general information such as reporting new security issues.
+*   [CVE-2020-11998](../../ - JMX
remote client could execute arbitrary code
 *   [CVE-2020-13920](../../ - JMX
MITM vulnerability
 *   [CVE-2020-1941](../../ - XSS
in WebConsole
 *   [CVE-2019-0222](../../ - Corrupt
MQTT frame can cause broker shutdown
diff --git a/src/ b/src/
new file mode 100644
index 0000000..4b4c6d9
--- /dev/null
+++ b/src/
@@ -0,0 +1,23 @@
+CVE-2020-11998: Apache ActiveMQ JMX remote client could execute arbitrary code
+Severity: Moderate
+Vendor: The Apache Software Foundation
+Affected Version: only Apache ActiveMQ 5.15.12
+Vulnerability details: 
+A regression has been introduced in the commit preventing JMX re-bind.
+By passing an empty environment map to RMIConnectorServer, instead of the map that contains
+he authentication credentials, it leaves ActiveMQ open to the following attack:
+"A remote client could create a MBean and use
+ it to create new MBeans from arbitrary URLs, at least if there is no
+ security manager. In other words, a rogue remote client could make your
+ Java application execute arbitrary code."
+Mitigation: Upgrade to Apache ActiveMQ 5.15.13
+Credit: Jonathan Gallimore & Colm O hEigeartaigh

View raw message