Multiple security issues were discovered in activemq, a message
broker built around Java Message Service.
When using the OpenWire protocol in activemq, it was found that
certain system details (such as the OS and kernel version) are
exposed as plain text.
TLS hostname verification when using the Apache ActiveMQ Client
was missing which could make the client vulnerable to a MITM
attack between a Java application using the ActiveMQ client and
the ActiveMQ server. This is now enabled by default.
Unmarshalling corrupt MQTT frame can lead to broker Out of Memory
exception making it unresponsive
The optional ActiveMQ LDAP login module can be configured to use
anonymous access to the LDAP server. The anonymous context is used
to verify a valid users password in error, resulting in no check
on the password.
For Debian 9 stretch, these problems have been fixed in version
We recommend that you upgrade your activemq packages.
For the detailed security status of activemq please refer to
its security tracker page at:
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Debian LTS Advisory DLA-2583-1 [email protected]
https://www.debian.org/lts/security/ Abhijith PA
March 05, 2021 https://wiki.debian.org/LTS
Version : 5.14.3-3+deb9u2