This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/asf-site by this push:
new b5454da58 Automatic Site Publish by Buildbot
b5454da58 is described below
commit b5454da58ff790b2bae1073d018ae9777d5e9787
Author: buildbot <[email protected]>
AuthorDate: Fri Nov 3 04:58:35 2023 +0000
Automatic Site Publish by Buildbot
---
output/index.html | 22 +++--
output/news/cve-2023-46604.html | 173 ++++++++++++++++++++++++++++++++++++++++
output/news/index.html | 5 ++
3 files changed, 188 insertions(+), 12 deletions(-)
diff --git a/output/index.html b/output/index.html
index ef03ee903..6e403b4df 100644
--- a/output/index.html
+++ b/output/index.html
@@ -123,13 +123,13 @@
<div class="card card-grey-small">
<div class="card-body ml-0 p-2">
- <h6 class="card-title"><a class="text-blue"
href="/components/artemis/download/">ActiveMQ Artemis 2.31.2</a></h6>
+ <h6 class="card-title"><a class="text-blue"
href="/news/cve-2023-46604">Update on CVE-2023-46604</a></h6>
- Bug fix release.<a style="display: unset;" class="nav-link pl-0 ml-0"
href="/components/artemis/download/">...more</a>
+ <a style="display: unset;" class="nav-link pl-0 ml-0"
href="/news/cve-2023-46604">...more</a>
- <p class="small text-muted text-right font-italic mb-0">Oct 27th, 2023</p>
+ <p class="small text-muted text-right font-italic mb-0">Nov 3rd, 2023</p>
</div>
</div>
@@ -137,15 +137,13 @@
<div class="card card-grey-small">
<div class="card-body ml-0 p-2">
- <h6 class="card-title"><a class="text-blue"
href="/activemq-5016007-release">ActiveMQ 5.16.7 Release</a></h6>
+ <h6 class="card-title"><a class="text-blue"
href="/components/artemis/download/">ActiveMQ Artemis 2.31.2</a></h6>
- Important release, including several improvements, fixes, and dependency
updates.
-<br/><br/><strong>NOTE:</strong> This is the last planned 5.16.x release.
Users should upgrade to the current stream for ongoing releases.
-<a style="display: unset;" class="nav-link pl-0 ml-0"
href="/activemq-5016007-release">...more</a>
+ Bug fix release.<a style="display: unset;" class="nav-link pl-0 ml-0"
href="/components/artemis/download/">...more</a>
- <p class="small text-muted text-right font-italic mb-0">Oct 26th, 2023</p>
+ <p class="small text-muted text-right font-italic mb-0">Oct 27th, 2023</p>
</div>
</div>
@@ -153,13 +151,13 @@
<div class="card card-grey-small">
<div class="card-body ml-0 p-2">
- <h6 class="card-title"><a class="text-blue"
href="/activemq-5015016-release">ActiveMQ 5.15.16 Release</a></h6>
+ <h6 class="card-title"><a class="text-blue"
href="/activemq-5016007-release">ActiveMQ 5.16.7 Release</a></h6>
- Important release, including several resolved issues and bug fixes.
-<br/><br/><strong>NOTE:</strong> This is the last planned 5.15.x release.
Users should upgrade to the current stream for ongoing releases.
-<a style="display: unset;" class="nav-link pl-0 ml-0"
href="/activemq-5015016-release">...more</a>
+ Important release, including several improvements, fixes, and dependency
updates.
+<br/><br/><strong>NOTE:</strong> This is the last planned 5.16.x release.
Users should upgrade to the current stream for ongoing releases.
+<a style="display: unset;" class="nav-link pl-0 ml-0"
href="/activemq-5016007-release">...more</a>
<p class="small text-muted text-right font-italic mb-0">Oct 26th, 2023</p>
</div>
diff --git a/output/news/cve-2023-46604.html b/output/news/cve-2023-46604.html
new file mode 100644
index 000000000..0cdd22cc5
--- /dev/null
+++ b/output/news/cve-2023-46604.html
@@ -0,0 +1,173 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <meta charset="UTF-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
+ <meta http-equiv="X-UA-Compatible" content="ie=edge">
+ <title>ActiveMQ</title>
+ <link rel="icon" type="image/png" href="/assets/img/favicon.png">
+
+ <link rel="stylesheet" href="/css/main.css">
+ <script defer src="/js/fontawesome-v5.0.8-all.js"
integrity="sha384-SlE991lGASHoBfWbelyBPLsUlwY1GwNDJo3jSJO04KZ33K2bwfV9YBauFfnzvynJ"></script>
+ <script src="/js/jquery-3.6.1.slim.min.js"
integrity="sha384-MYL22lstpGhSa4+udJSGro5I+VfM13fdJfCbAzP9krCEoK5r2EDFdgTg2+DGXdj+"></script>
+ <script src="/js/popper.min.js"
integrity="sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q"></script>
+ <script src="/js/bootstrap.min.js"
integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl"></script>
+</head>
+
+<body>
+<nav class="navbar navbar-expand-lg navbar-light fixed-top">
+ <div class="container">
+ <!-- <a class="navbar-brand mr-auto" href="#"><img style="height:
50px" src="assets/img/apache-feather.png" /></a> -->
+ <a class="navbar-brand mr-auto" href="/"><img
src="/assets/img/activemq_logo_black_small.png" style="height: 50px"/></a>
+ <button class="navbar-toggler ml-auto" type="button"
data-toggle="collapse" data-target="#navbarContent"
aria-controls="navbarContent" aria-expanded="false" aria-label="Toggle
navigation">
+ <span class="navbar-toggler-icon"></span>
+ </button>
+
+ <div class="ml-auto collapse navbar-collapse" id="navbarContent">
+ <ul class="navbar-nav ml-auto">
+ <li class="nav-item">
+ <a class="nav-link active" href="/news">News</a>
+ </li>
+ <li class="nav-item dropdown">
+ <a class="nav-link" id="navbarDropdownComponents"
data-target="#" href="" data-toggle="dropdown" aria-haspopup="true"
aria-expanded="false">Components<span class="caret"></span></a>
+ <ul class="dropdown-menu dropdown-menu-center"
aria-labelledby="navbarDropdownComponents">
+ <div class="row">
+ <div class="col-12">
+ <ul class="multi-column-dropdown">
+ <li class="nav-item"><a
class="dropdown-item" href="/components/classic">ActiveMQ "Classic"</a></li>
+ <li class="nav-item"><a
class="dropdown-item" href="/components/artemis/">ActiveMQ Artemis</a></li>
+ <li class="nav-item"><a
class="dropdown-item" href="/components/nms">NMS Clients</a></li>
+ <li class="nav-item"><a
class="dropdown-item" href="/components/cms">CMS Client</a></li>
+ </ul>
+ </div>
+ </div>
+ </ul>
+ </li>
+ <li class="nav-item dropdown">
+ <a class="nav-link" id="navbarDropdownCommunity"
data-target="#" href="" data-toggle="dropdown" aria-haspopup="true"
aria-expanded="false">Community<span class="caret"></span></a>
+ <ul class="dropdown-menu dropdown-menu-center multi-column
columns-1" aria-labelledby="navbarDropdownCommunity">
+ <div class="row">
+ <div class="col-12">
+ <ul class="multi-column-dropdown">
+ <li class="nav-item"><a
class="dropdown-item" href="/contact">Contact Us</a></li>
+ <li class="nav-item"><a
class="dropdown-item" href="/contributing">Contribute</a></li>
+ <li class="nav-item"><a
class="dropdown-item" href="/issues">Report Issues</a></li>
+ <li class="nav-item"><a
class="dropdown-item" href="/support">Get Support</a></li>
+ </ul>
+ </div>
+ </div>
+ </ul>
+ </li>
+ <li class="nav-item dropdown">
+ <a class="nav-link" id="navbarDropdownTeam"
data-target="#" href="" data-toggle="dropdown" aria-haspopup="true"
aria-expanded="false"><img src="/assets/img/feather.png"
style="height:20px">Apache<span class="caret"></span></a>
+ <ul class="dropdown-menu dropdown-menu-center multi-column
columns-1" aria-labelledby="navbarDropdownTeam">
+ <div class="row">
+ <div class="col-sm-12">
+ <ul class="multi-column-dropdown">
+ <li class="nav-item"><a
class="dropdown-item" href="https://www.apache.org";>The Apache Software
Foundation</a></li>
+ <li class="nav-item"><a
class="dropdown-item" href="https://www.apache.org/licenses/";>License</a></li>
+ <li class="nav-item"><a
class="dropdown-item"
href="https://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li>
+ <li class="nav-item"><a
class="dropdown-item"
href="https://www.apache.org/foundation/thanks.html";>Thanks</a></li>
+ <li class="nav-item"><a
class="dropdown-item" href="/security-advisories">Security</a></li>
+ <li class="nav-item"><a
class="dropdown-item"
href="https://www.apache.org/events/current-event";>Events</a></li>
+ <li class="nav-item"><a
class="dropdown-item"
href="https://people.apache.org/phonebook.html?pmc=activemq";>PMC &
Committers</a></li>
+ <li class="nav-item"><a
class="dropdown-item"
href="https://whimsy.apache.org/board/minutes/ActiveMQ.html";>Board
Reports</a></li>
+ <li class="nav-item"><a
class="dropdown-item"
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a></li>
+ </ul>
+ </div>
+ </div>
+ </ul>
+ </li>
+ </ul>
+ </div>
+ </div>
+</nav>
+
+<div class="content">
+ <div class="page-title-main">
+ <div class="container">
+ <h1>Update on CVE-2023-46604</h1>
+ </div>
+ </div>
+ <div class="container" >
+ <div class="row" style="margin-top: 30px">
+ <div class="col-12 main">
+ <p><a href="/news">News</a> > <a href="/news/cve-2023-46604">Update
on CVE-2023-46604</a></p>
+
+<h4 id="summary">Summary</h4>
+
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2023-46604";>CVE-2023-46604</a> was
recently announced and it has caused quite a bit of traffic on the mailing
lists and in Jira from users curious about its impact on both “Classic” and
Artemis. In short, <strong>users of both “Classic” and Artemis are recommended
to upgrade</strong>. New releases for all current branches were made available
on the day the CVE was announced:</p>
+
+<p>“Classic”:</p>
+
+<ul>
+ <li><a
href="https://activemq.apache.org/activemq-5015016-release";>5.15.16</a> (last
release from this branch)</li>
+ <li><a
href="https://activemq.apache.org/activemq-5016007-release";>5.16.7</a> (last
release from this branch)</li>
+ <li><a
href="https://activemq.apache.org/activemq-5017006-release";>5.17.6</a></li>
+ <li><a
href="https://activemq.apache.org/activemq-5018003-release";>5.18.3</a></li>
+</ul>
+
+<p>Artemis:</p>
+
+<ul>
+ <li><a
href="https://activemq.apache.org/components/artemis/download/";>2.31.2</a></li>
+</ul>
+
+<h4 id="cve-overview">CVE Overview</h4>
+
+<p>As stated in the <a
href="https://nvd.nist.gov/vuln/detail/CVE-2023-46604";>official CVE
description</a>:</p>
+
+<blockquote>
+ <p>Apache ActiveMQ is vulnerable to Remote Code Execution. The vulnerability
may allow a remote attacker with network access to a broker to run arbitrary
shell commands by manipulating serialized class types in the OpenWire protocol
to cause the broker to instantiate any class on the classpath.</p>
+</blockquote>
+
+<p>Three things are required to exploit this vulnerability:</p>
+
+<ol>
+ <li>Network access</li>
+ <li>A manipulated OpenWire “command” (used to instantiate an arbitrary class
on the classpath with a <code class="language-plaintext
highlighter-rouge">String</code> parameter)</li>
+ <li>A class on the classpath which can execute arbitrary code simply by
instantiating it with a <code class="language-plaintext
highlighter-rouge">String</code> parameter</li>
+</ol>
+
+<h4 id="classic-details">“Classic” Details</h4>
+
+<p>“Classic” ships with a handful of Spring dependencies including, among
other things, <a
href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html";><code
class="language-plaintext
highlighter-rouge">org.springframework.context.support.ClassPathXmlApplicationContext</code></a>.
This class is used to run Spring applications, and it has <a
href="https://docs.spring.io/spring-framework/docs/current/javadoc [...]
+
+<p>The only known exploit of this vulnerability uses this <code
class="language-plaintext
highlighter-rouge">ClassPathXmlApplicationContext</code> to load a malicious
XML application configuration file from somewhere on the network via HTTP. This
malicious XML specifically defines the arbitrary code to be run on the machine
hosting the broker.</p>
+
+<h4 id="artemis-details">Artemis Details</h4>
+
+<p>Artemis supports the OpenWire protocol and therefore has dependencies from
“Classic” for this support. These dependencies include the vulnerable code.
However, Artemis doesn’t ship Spring so there is currently no known exploit.
Regardless, upgrading is still recommended.</p>
+
+ </div>
+ </div>
+ </div>
+</div>
+<div class="row sitemap">
+ <div class="col-sm-12">
+ <div class="container">
+ <div class="row">
+ <div class="col-sm-12">
+ <div class="row">
+ <div class="col-sm-3">
+ <div >
+ <img class="float-left" style="max-height: 100px"
src="/assets/img/activemq_logo_white_vertical_small.png"/>
+ </div>
+ </div>
+ <div style="text-align: center; margin-bottom: 0px; margin-top:
30px; font-size: 65%" class="col-sm-6">
+ <p><a
href="https://www.apache.org/foundation/marks/list/";>Apache, ActiveMQ, Apache
ActiveMQ</a>, the Apache feather logo, and the Apache ActiveMQ project logo are
trademarks of The Apache Software Foundation. Copyright © 2023, The Apache
Software Foundation. Licensed under <a
href="http://www.apache.org/licenses/LICENSE-2.0";>Apache License 2.0</a>.</p>
+ </div>
+ <div class="col-sm-3">
+ <div >
+ <a href="https://www.apache.org";><img class="float-right"
style="margin-top: 10px; max-height: 80px"
src="/assets/img/apache-logo-small.png"/></a>
+ </div>
+ </div>
+ </div>
+ </div>
+ </div>
+ </div>
+ </div>
+</div>
+
+</body>
+</html>
diff --git a/output/news/index.html b/output/news/index.html
index fa3301236..a6ca3445a 100644
--- a/output/news/index.html
+++ b/output/news/index.html
@@ -94,6 +94,11 @@
<div class="col-12 main">
<p><a href="/">Home</a> > <a href="/news">News</a></p>
+<h3 id="update-on-cve-2023-46604">Update on CVE-2023-46604</h3>
+<p><span class="text-secondary"> Nov 3rd, 2023</span></p>
+
+<p><a href="/news/cve-2023-46604">Read More</a></p>
+
<h3 id="activemq-artemis-2312">ActiveMQ Artemis 2.31.2</h3>
<p><span class="text-secondary"> Oct 27th, 2023</span></p>
