Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.6884
activemq security update
21 November 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: activemq
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2023-46604 CVE-2021-26117 CVE-2020-13920
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html
Comment: CVSS (Max): 10.0 CVE-2023-46604 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H)
CVSS Source: NIST, [Apache Software Foundation]
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
The following are listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog:
CISA KEV CVE(s): CVE-2023-46604*
CISA KEV URL: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
* Known Ransomware Campaign Use
- --------------------------BEGIN INCLUDED TEXT--------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3657-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
November 20, 2023 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : activemq
Version : 5.15.16-0+deb10u1
CVE ID : CVE-2020-13920 CVE-2021-26117 CVE-2023-46604
Debian Bug : 1054909 982590=20
Several security vulnerabilities have been discovered in ActiveMQ, a Java
message broker.
CVE-2020-13920
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI
registry and binds the server to the "jmxrmi" entry. It is possible to connect
to the registry without authentication and call the rebind method to rebind
jmxrmi to something else. If an attacker creates another server to proxy the
original, and bound that, he effectively becomes a man in the middle and is
able to intercept the credentials when an user connects.
CVE-2021-26117
The optional ActiveMQ LDAP login module can be configured to use anonymous
access to the LDAP server.
CVE-2023-46604
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution.
This vulnerability may allow a remote attacker with network access to either a
Java-based OpenWire broker or client to run arbitrary shell commands by
manipulating serialized class types in the OpenWire protocol to cause either
the client or the broker (respectively) to instantiate any class on the
classpath.
For Debian 10 buster, these problems have been fixed in version
5.15.16-0+deb10u1.
We recommend that you upgrade your activemq packages.
For the detailed security status of activemq please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/activemq
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZVwMLckNZI30y1K9AQi/hw/+JjKIOLf0RJNWRsUY/hdPOjhTX7e5Yr6g
TijcLaxGDL9xyacaSRQZHFGFDMEz6qcIxjuvg93tip/L/+1ehRBijzuOhOZmkdJM
58WM9rudd33kE9LC/Hd1BRJPl+XbJ8Y/dg0HiDrpGPJynEwqvrD9/ubdxl/GtWBN
KC+faOlfNgGACAZRowSTKMyzLp4tLhOrv+CVbFczcrnmgpyTRyCxqjKFy62objxQ
9wV7o3WtQa7tKVhn24Lmx9nhy8Ze2RII7gd2Tf2M1d+Ht+sMwQfcvVh5gPTuTCSh
HuuYexVlyixy6FR3P72dVmOdhx0bkW+udHe+Ydym0vMRit1gwlglrwxRJ2yvvJ6i
XzmRbd9aavu7FcQ0nfTmyqdwj8QE1y7Z/CFKuWfkvERjMauawkFHfO1FN36olQH/
W3z6zWxljHGaZImYgSUqZmacoQiavZKIH/thjXc3d9lofbWYxHsQmqOsGC6Sx7xq
uGc8j+BO9JLVQx9pXUz2HwB8hjGoJqYF5EmmJcLyw8KOois9aBeNRaZZm5SqAoxL
0HPa6oTzkEDYFrBcw+NamOUrg4bCBKG6POiNDwkYBYtYV3J6P2SSAjwDy7rTlnq1
8srzIHkTbFIKT6LzHHGM97FLoOU9tXXW78gD0ZyM6BzAbIOooxLvhrnL1Ut3Q/hx
pOWF465i6mI=
=ebre
-----END PGP SIGNATURE-----