Google Git
Sign in
apache / activemq-website / 9d6b7947875151f8f0e1d678709ba2900f4326d2^! / .
commit9d6b7947875151f8f0e1d678709ba2900f4326d2[log] [tgz]
authorMatt Pavlovich <matt@hyte.io>Wed Nov 22 07:56:51 2023 -0600
committerMatt Pavlovich <matt@hyte.io>Wed Nov 22 07:57:57 2023 -0600
tree11e46a31b2a359330da63a02a9accb15c6c231a7
parent8d6a633c166eedda5bc56b00a9a33c7b79a2845e [diff]
[NO-JIRA] Update CVE information to add clarity in language and add ActiveMQ 6.0.0 as a fixed release

diff --git a/src/_news/CVE-2023-46604.md b/src/_news/CVE-2023-46604.md
index 2afeadf..1d757db 100644
--- a/src/_news/CVE-2023-46604.md
+++ b/src/_news/CVE-2023-46604.md

@@ -7,21 +7,22 @@
 ---
 #### Summary
 
-[CVE-2023-46604](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) was recently announced and it has caused quite a bit of traffic on the mailing lists and in Jira from users curious about its impact on both "Classic" and Artemis clients and brokers. In short:
+[CVE-2023-46604](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) was recently announced and it has caused quite a bit of traffic on the mailing lists and in Jira from users curious about its impact on both ActiveMQ Classic and ActiveMQ Artemis clients and brokers. In short:
 
-  - **Users of both "Classic" and Artemis brokers are recommended to upgrade.**
+  - **Users of both ActiveMQ Classic and ActiveMQ Artemis brokers are recommended to upgrade.**
   - **Users of any Java-based OpenWire client (e.g. Maven dependency on `activemq-client`) are recommended to upgrade (regardless of which broker you're using).**
 
 New releases for all current branches were made available on the day the CVE was announced:
 
-"Classic":
+ActiveMQ Classic:
 
- - [5.15.16](https://activemq.apache.org/activemq-5015016-release) (last release from this branch)
- - [5.16.7](https://activemq.apache.org/activemq-5016007-release) (last release from this branch)
- - [5.17.6](https://activemq.apache.org/activemq-5017006-release)
+ - [6.0.0](https://activemq.apache.org/activemq-6000000-release)
  - [5.18.3](https://activemq.apache.org/activemq-5018003-release)
+ - [5.17.6](https://activemq.apache.org/activemq-5017006-release)
+ - [5.16.7](https://activemq.apache.org/activemq-5016007-release) (last release from this branch)
+ - [5.15.16](https://activemq.apache.org/activemq-5015016-release) (last release from this branch)
 
-Artemis:
+ActiveMQ Artemis:
 
  - [2.31.2](https://activemq.apache.org/components/artemis/download/)
 
@@ -34,17 +35,17 @@
 Three things are required to exploit this vulnerability:
 
  1. Network access
- 1. A manipulated OpenWire "command" (used to instantiate an arbitrary class on the classpath with a `String` parameter)
+ 1. A manipulated OpenWire command (used to instantiate an arbitrary class on the classpath with a `String` parameter)
  1. A class on the classpath which can execute arbitrary code simply by instantiating it with a `String` parameter
  
 The manipulated command (i.e. #2) can be sent by a client to a broker or from a broker to a client so **both** are vulnerable.
 
-#### "Classic" Details
+#### ActiveMQ Classic Details
 
-The "Classic" broker ships with a handful of Spring dependencies including [`org.springframework.context.support.ClassPathXmlApplicationContext`](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html) which is used to run Spring applications. This class is not only present on the broker, but it is an extremely common client-side dependency as well. It has [a constructor](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html#%3Cinit%3E(java.lang.String)) which takes a `String` which can be an HTTP URL pointing to an XML application configuration file across the network.
+The ActiveMQ Classic broker ships with a handful of Spring dependencies including [`org.springframework.context.support.ClassPathXmlApplicationContext`](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html) which is used to run Spring applications. This class is not only present on the broker, but it is an extremely common client-side dependency as well. It has [a constructor](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html#%3Cinit%3E(java.lang.String)) which takes a `String` which can be an HTTP URL pointing to an XML application configuration file across the network.
 
 The only known exploit of this vulnerability uses this `ClassPathXmlApplicationContext` to load a malicious XML application configuration file from somewhere on the network via HTTP. This malicious XML specifically defines the arbitrary code to be run on the machine with the vulnerability (i.e. broker or client).
 
-#### Artemis Details
+#### ActiveMQ Artemis Details
 
-Artemis supports the OpenWire protocol and therefore has dependencies from "Classic" for this support. These dependencies include the vulnerable code. However, Artemis doesn't ship Spring so there is currently no known exploit. Regardless, upgrading is still recommended.
+ActiveMQ Artemis supports the OpenWire protocol and therefore has dependencies from ActiveMQ Classic for this support. These dependencies include the vulnerable code. However, Artemis doesn't ship Spring so there is currently no known exploit. Regardless, upgrading is still recommended.