This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 9578e900a Automatic Site Publish by Buildbot
9578e900a is described below
commit 9578e900a9281d41fb1973cc135cc4fb7922c234
Author: buildbot <[email protected]>
AuthorDate: Thu Nov 9 05:00:09 2023 +0000
Automatic Site Publish by Buildbot
---
output/news/cve-2023-46604.html | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/output/news/cve-2023-46604.html b/output/news/cve-2023-46604.html
index 0cdd22cc5..87527dd94 100644
--- a/output/news/cve-2023-46604.html
+++ b/output/news/cve-2023-46604.html
@@ -96,7 +96,14 @@
<h4 id="summary">Summary</h4>
-<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2023-46604";>CVE-2023-46604</a> was
recently announced and it has caused quite a bit of traffic on the mailing
lists and in Jira from users curious about its impact on both “Classic” and
Artemis. In short, <strong>users of both “Classic” and Artemis are recommended
to upgrade</strong>. New releases for all current branches were made available
on the day the CVE was announced:</p>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2023-46604";>CVE-2023-46604</a> was
recently announced and it has caused quite a bit of traffic on the mailing
lists and in Jira from users curious about its impact on both “Classic” and
Artemis clients and brokers. In short:</p>
+
+<ul>
+ <li><strong>Users of both “Classic” and Artemis brokers are recommended to
upgrade.</strong></li>
+ <li><strong>Users of any Java-based OpenWire client (e.g. Maven dependency
on <code class="language-plaintext highlighter-rouge">activemq-client</code>)
are recommended to upgrade (regardless of which broker you’re
using).</strong></li>
+</ul>
+
+<p>New releases for all current branches were made available on the day the
CVE was announced:</p>
<p>“Classic”:</p>
@@ -129,11 +136,13 @@
<li>A class on the classpath which can execute arbitrary code simply by
instantiating it with a <code class="language-plaintext
highlighter-rouge">String</code> parameter</li>
</ol>
+<p>The manipulated command (i.e. #2) can be sent by a client to a broker or
from a broker to a client so <strong>both</strong> are vulnerable.</p>
+
<h4 id="classic-details">“Classic” Details</h4>
-<p>“Classic” ships with a handful of Spring dependencies including, among
other things, <a
href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html";><code
class="language-plaintext
highlighter-rouge">org.springframework.context.support.ClassPathXmlApplicationContext</code></a>.
This class is used to run Spring applications, and it has <a
href="https://docs.spring.io/spring-framework/docs/current/javadoc [...]
+<p>The “Classic” broker ships with a handful of Spring dependencies including
<a
href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html";><code
class="language-plaintext
highlighter-rouge">org.springframework.context.support.ClassPathXmlApplicationContext</code></a>
which is used to run Spring applications. This class is not only present on
the broker, but it is an extremely common client-side dependen [...]
-<p>The only known exploit of this vulnerability uses this <code
class="language-plaintext
highlighter-rouge">ClassPathXmlApplicationContext</code> to load a malicious
XML application configuration file from somewhere on the network via HTTP. This
malicious XML specifically defines the arbitrary code to be run on the machine
hosting the broker.</p>
+<p>The only known exploit of this vulnerability uses this <code
class="language-plaintext
highlighter-rouge">ClassPathXmlApplicationContext</code> to load a malicious
XML application configuration file from somewhere on the network via HTTP. This
malicious XML specifically defines the arbitrary code to be run on the machine
with the vulnerability (i.e. broker or client).</p>
<h4 id="artemis-details">Artemis Details</h4>
