activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From git-site-r...@apache.org
Subject [activemq-website] branch asf-site updated: Automatic Site Publish by Buildbot
Date Thu, 10 Sep 2020 09:22:36 GMT
This is an automated email from the ASF dual-hosted git repository.

git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/activemq-website.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new e3ed0e5  Automatic Site Publish by Buildbot
e3ed0e5 is described below

commit e3ed0e5473cfdfbc63bf79474817c5b18b449751
Author: buildbot <users@infra.apache.org>
AuthorDate: Thu Sep 10 09:22:32 2020 +0000

    Automatic Site Publish by Buildbot
---
 output/components/classic/security.html            |  1 +
 .../CVE-2020-11998-announcement.txt                | 23 ++++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/output/components/classic/security.html b/output/components/classic/security.html
index b5cee72..d6ac46b 100644
--- a/output/components/classic/security.html
+++ b/output/components/classic/security.html
@@ -97,6 +97,7 @@
 <p>See the main <a href="../../security-advisories">Security Advisories</a>
page for details for other components and general information such as reporting new security
issues.</p>
 
 <ul>
+  <li><a href="../../security-advisories.data/CVE-2020-11998-announcement.txt">CVE-2020-11998</a>
- JMX remote client could execute arbitrary code</li>
   <li><a href="../../security-advisories.data/CVE-2020-13920-announcement.txt">CVE-2020-13920</a>
- JMX MITM vulnerability</li>
   <li><a href="../../security-advisories.data/CVE-2020-1941-announcement.txt">CVE-2020-1941</a>
- XSS in WebConsole</li>
   <li><a href="../../security-advisories.data/CVE-2019-0222-announcement.txt">CVE-2019-0222</a>
- Corrupt MQTT frame can cause broker shutdown</li>
diff --git a/output/security-advisories.data/CVE-2020-11998-announcement.txt b/output/security-advisories.data/CVE-2020-11998-announcement.txt
new file mode 100644
index 0000000..4b4c6d9
--- /dev/null
+++ b/output/security-advisories.data/CVE-2020-11998-announcement.txt
@@ -0,0 +1,23 @@
+CVE-2020-11998: Apache ActiveMQ JMX remote client could execute arbitrary code
+
+Severity: Moderate
+
+Vendor: The Apache Software Foundation
+
+Affected Version: only Apache ActiveMQ 5.15.12
+
+Vulnerability details: 
+A regression has been introduced in the commit preventing JMX re-bind.
+By passing an empty environment map to RMIConnectorServer, instead of the map that contains
+he authentication credentials, it leaves ActiveMQ open to the following attack:
+
+  https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html
+
+"A remote client could create a javax.management.loading.MLet MBean and use
+ it to create new MBeans from arbitrary URLs, at least if there is no
+ security manager. In other words, a rogue remote client could make your
+ Java application execute arbitrary code."
+
+Mitigation: Upgrade to Apache ActiveMQ 5.15.13
+
+Credit: Jonathan Gallimore & Colm O hEigeartaigh


Mime
View raw message