Debian 10 Buster DLA-3657-1: Critical ActiveMQ Remote Code Execution
debian lts
November 20, 2023
Several security vulnerabilities have been discovered in ActiveMQ, a Java message broker
Topics Covered
Summary
CVE-2020-13920
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI
registry and binds the server to the "jmxrmi" entry. It is possible to connect
to the registry without authentication and call the rebind method to rebind
jmxrmi to something else. If an attacker creates another server to proxy the
original, and bound that, he effectively becomes a man in the middle and is
able to intercept the credentials when an user connects.
CVE-2021-26117
The optional ActiveMQ LDAP login module can be configured to use anonymous
access to the LDAP server.
CVE-2023-46604
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution.
This vulnerability may allow a remote attacker with network access to either a
Java-based OpenWire broker or client to run arbitrary shell commands by
manipulating serialized class types in the OpenWire protocol to cause either
the client or the broker (respectively) to instantiate any class on the
classpath.
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: activemq
Version: 5.15.16-0+deb10u1
CVE ID: CVE-2020-13920 CVE-2021-26117 CVE-2023-46604
Debian Bug: 1054909 982590
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!