This is an automated email from the ASF dual-hosted git repository.
jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/main by this push:
new 13515c8ab NO-JIRA more clarifications for CVE-2023-46604
13515c8ab is described below
commit 13515c8ab2ff369bac208f2cd348c386c822f2f1
Author: Justin Bertram <[email protected]>
AuthorDate: Wed Nov 8 22:58:51 2023 -0600
NO-JIRA more clarifications for CVE-2023-46604
---
src/_news/CVE-2023-46604.md | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/_news/CVE-2023-46604.md b/src/_news/CVE-2023-46604.md
index b176bd41d..3a8a40545 100644
--- a/src/_news/CVE-2023-46604.md
+++ b/src/_news/CVE-2023-46604.md
@@ -7,7 +7,12 @@ type: main
---
#### Summary
-[CVE-2023-46604](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) was recently
announced and it has caused quite a bit of traffic on the mailing lists and in
Jira from users curious about its impact on both "Classic" and Artemis. In
short, **users of both "Classic" and Artemis are recommended to upgrade**. New
releases for all current branches were made available on the day the CVE was
announced:
+[CVE-2023-46604](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) was recently
announced and it has caused quite a bit of traffic on the mailing lists and in
Jira from users curious about its impact on both "Classic" and Artemis clients
and brokers. In short:
+
+ - **Users of both "Classic" and Artemis brokers are recommended to upgrade.**
+ - **Users of any Java-based OpenWire client (e.g. Maven dependency on
`activemq-client`) are recommended to upgrade (regardless of which broker
you're using).**
+
+New releases for all current branches were made available on the day the CVE
was announced:
"Classic":
@@ -31,12 +36,14 @@ Three things are required to exploit this vulnerability:
1. Network access
1. A manipulated OpenWire "command" (used to instantiate an arbitrary class
on the classpath with a `String` parameter)
1. A class on the classpath which can execute arbitrary code simply by
instantiating it with a `String` parameter
+
+The manipulated command (i.e. #2) can be sent by a client to a broker or from
a broker to a client so **both** are vulnerable.
#### "Classic" Details
-"Classic" ships with a handful of Spring dependencies including, among other
things,
[`org.springframework.context.support.ClassPathXmlApplicationContext`](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html).
This class is used to run Spring applications, and it has [a
constructor](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicatio
[...]
+The "Classic" broker ships with a handful of Spring dependencies including
[`org.springframework.context.support.ClassPathXmlApplicationContext`](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html)
which is used to run Spring applications. This class is not only present on
the broker, but it is an extremely common client-side dependency as well. It
has [a constructor](https://docs.spring.io/spring-frame [...]
-The only known exploit of this vulnerability uses this
`ClassPathXmlApplicationContext` to load a malicious XML application
configuration file from somewhere on the network via HTTP. This malicious XML
specifically defines the arbitrary code to be run on the machine hosting the
broker.
+The only known exploit of this vulnerability uses this
`ClassPathXmlApplicationContext` to load a malicious XML application
configuration file from somewhere on the network via HTTP. This malicious XML
specifically defines the arbitrary code to be run on the machine with the
vulnerability (i.e. broker or client).
#### Artemis Details