- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2583-1                [email protected]
https://www.debian.org/lts/security/                          Abhijith PA
March 05, 2021                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : activemq
Version        : 5.14.3-3+deb9u2
CVE ID         : CVE-2017-15709 CVE-2018-11775 CVE-2019-0222 
Debian Bug     : 890352 908950 982590

Multiple security issues were discovered in activemq, a message 
broker built around Java Message Service.


    When using the OpenWire protocol in activemq, it was found that 
    certain system details (such as the OS and kernel version) are 
    exposed as plain text.


    TLS hostname verification when using the Apache ActiveMQ Client 
    was missing which could make the client vulnerable to a MITM 
    attack between a Java application using the ActiveMQ client and 
    the ActiveMQ server. This is now enabled by default.


    Unmarshalling corrupt MQTT frame can lead to broker Out of Memory 
    exception making it unresponsive


    The optional ActiveMQ LDAP login module can be configured to use
    anonymous access to the LDAP server. The anonymous context is used 
    to verify a valid users password in error, resulting in no check 
    on the password.

For Debian 9 stretch, these problems have been fixed in version

We recommend that you upgrade your activemq packages.

For the detailed security status of activemq please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS