| |
| CVE-2018-11775: ActiveMQ Client - Missing TLS Hostname Verification |
| |
| Severity: Important |
| |
| Vendor: |
| The Apache Software Foundation |
| |
| Versions Affected: |
| Apache ActiveMQ 5.0.0 - 5.15.5 |
| |
| Description: |
| |
| TLS hostname verification when using the Apache ActiveMQ Client was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default. |
| |
| Mitigation: |
| |
| Upgrade to Apache ActiveMQ 5.15.6 |
| |
| Credit: |
| This issue was discovered by Peter Stöckli (Alphabot Security) |