This is an automated email from the ASF dual-hosted git repository.

jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-website.git


The following commit(s) were added to refs/heads/main by this push:
     new 13515c8ab NO-JIRA more clarifications for CVE-2023-46604
13515c8ab is described below

commit 13515c8ab2ff369bac208f2cd348c386c822f2f1
Author: Justin Bertram <[email protected]>
AuthorDate: Wed Nov 8 22:58:51 2023 -0600

    NO-JIRA more clarifications for CVE-2023-46604
---
 src/_news/CVE-2023-46604.md | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/_news/CVE-2023-46604.md b/src/_news/CVE-2023-46604.md
index b176bd41d..3a8a40545 100644
--- a/src/_news/CVE-2023-46604.md
+++ b/src/_news/CVE-2023-46604.md
@@ -7,7 +7,12 @@ type: main
 ---
 #### Summary
 
-[CVE-2023-46604](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) was recently 
announced and it has caused quite a bit of traffic on the mailing lists and in 
Jira from users curious about its impact on both "Classic" and Artemis. In 
short, **users of both "Classic" and Artemis are recommended to upgrade**. New 
releases for all current branches were made available on the day the CVE was 
announced:
+[CVE-2023-46604](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) was recently 
announced and it has caused quite a bit of traffic on the mailing lists and in 
Jira from users curious about its impact on both "Classic" and Artemis clients 
and brokers. In short:
+
+  - **Users of both "Classic" and Artemis brokers are recommended to upgrade.**
+  - **Users of any Java-based OpenWire client (e.g. Maven dependency on 
`activemq-client`) are recommended to upgrade (regardless of which broker 
you're using).**
+
+New releases for all current branches were made available on the day the CVE 
was announced:
 
 "Classic":
 
@@ -31,12 +36,14 @@ Three things are required to exploit this vulnerability:
  1. Network access
  1. A manipulated OpenWire "command" (used to instantiate an arbitrary class 
on the classpath with a `String` parameter)
  1. A class on the classpath which can execute arbitrary code simply by 
instantiating it with a `String` parameter
+ 
+The manipulated command (i.e. #2) can be sent by a client to a broker or from 
a broker to a client so **both** are vulnerable.
 
 #### "Classic" Details
 
-"Classic" ships with a handful of Spring dependencies including, among other 
things, 
[`org.springframework.context.support.ClassPathXmlApplicationContext`](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html).
 This class is used to run Spring applications, and it has [a 
constructor](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicatio
 [...]
+The "Classic" broker ships with a handful of Spring dependencies including 
[`org.springframework.context.support.ClassPathXmlApplicationContext`](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html)
 which is used to run Spring applications. This class is not only present on 
the broker, but it is an extremely common client-side dependency as well. It 
has [a constructor](https://docs.spring.io/spring-frame [...]
 
-The only known exploit of this vulnerability uses this 
`ClassPathXmlApplicationContext` to load a malicious XML application 
configuration file from somewhere on the network via HTTP. This malicious XML 
specifically defines the arbitrary code to be run on the machine hosting the 
broker.
+The only known exploit of this vulnerability uses this 
`ClassPathXmlApplicationContext` to load a malicious XML application 
configuration file from somewhere on the network via HTTP. This malicious XML 
specifically defines the arbitrary code to be run on the machine with the 
vulnerability (i.e. broker or client).
 
 #### Artemis Details
 

Reply via email to