Google Git
Sign in
apache / activemq-website / 68b440b784f55041828b0ab6edff70cb3e62fa75^! / .
commit68b440b784f55041828b0ab6edff70cb3e62fa75[log] [tgz]
authorjbonofre <jbonofre@apache.org>Thu Sep 10 11:17:48 2020 +0200
committerjbonofre <jbonofre@apache.org>Thu Sep 10 11:17:48 2020 +0200
tree29bbafbfe0b5c44e9e919383337cb7f790a87243
parentd6c291fa4772ab835871391899856f190cbdc5ba [diff]
Publish CVE-2020-11998

diff --git a/src/components/classic/security.md b/src/components/classic/security.md
index a9360e8..b3b7459 100644
--- a/src/components/classic/security.md
+++ b/src/components/classic/security.md

@@ -9,6 +9,7 @@
 
 See the main [Security Advisories](../../security-advisories) page for details for other components and general information such as reporting new security issues.
 
+*   [CVE-2020-11998](../../security-advisories.data/CVE-2020-11998-announcement.txt) - JMX remote client could execute arbitrary code
 *   [CVE-2020-13920](../../security-advisories.data/CVE-2020-13920-announcement.txt) - JMX MITM vulnerability
 *   [CVE-2020-1941](../../security-advisories.data/CVE-2020-1941-announcement.txt) - XSS in WebConsole
 *   [CVE-2019-0222](../../security-advisories.data/CVE-2019-0222-announcement.txt) - Corrupt MQTT frame can cause broker shutdown

diff --git a/src/security-advisories.data/CVE-2020-11998-announcement.txt b/src/security-advisories.data/CVE-2020-11998-announcement.txt
new file mode 100644
index 0000000..4b4c6d9
--- /dev/null
+++ b/src/security-advisories.data/CVE-2020-11998-announcement.txt

@@ -0,0 +1,23 @@
+CVE-2020-11998: Apache ActiveMQ JMX remote client could execute arbitrary code
+
+Severity: Moderate
+
+Vendor: The Apache Software Foundation
+
+Affected Version: only Apache ActiveMQ 5.15.12
+
+Vulnerability details: 
+A regression has been introduced in the commit preventing JMX re-bind.
+By passing an empty environment map to RMIConnectorServer, instead of the map that contains
+he authentication credentials, it leaves ActiveMQ open to the following attack:
+
+  https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html
+
+"A remote client could create a javax.management.loading.MLet MBean and use
+ it to create new MBeans from arbitrary URLs, at least if there is no
+ security manager. In other words, a rogue remote client could make your
+ Java application execute arbitrary code."
+
+Mitigation: Upgrade to Apache ActiveMQ 5.15.13
+
+Credit: Jonathan Gallimore & Colm O hEigeartaigh