Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Debian 11: DLA-3936-1 critical: ActiveMQ remote code execution

debian lts
Calendar Grey October 25, 2024
Dist Debian Esm H88
Debian LTS Notice DLA-3936-1 addresses significant security issues in ActiveMQ; it is highly recommended to perform the update.
Two vulnerabilities were found in Apache ActiveMQ, a Java-based message broker

Summary

CVE-2022-41678

Deserialization vulnerability on Jolokia that allows authenticated users to
perform arbitrary code execution.

CVE-2023-46604

The Java OpenWire protocol marshaller is vulnerable to arbitrary code
execution. This vulnerability may allow a remote attacker with network
access to run arbitrary shell commands by manipulating serialized class
types in either a Java-based OpenWire broker or client.

For Debian 11 bullseye, these problems have been fixed in version
5.16.1-1+deb11u1.

We recommend that you upgrade your activemq packages.

For the detailed security status of activemq please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/activemq

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
critical
Lowest
Low
Medium
High
Critical

Package: activemq
Version: 5.16.1-1+deb11u1
CVE ID: CVE-2022-41678 CVE-2023-46604
Debian Bug: 1054909

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here