This is an automated email from the ASF dual-hosted git repository.
jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/main by this push:
new ea0fc42d6 Clarify CVE-2023-46604
ea0fc42d6 is described below
commit ea0fc42d63597466e2df1854e0fbae73a3fec21d
Author: Justin Bertram <[email protected]>
AuthorDate: Fri Nov 10 23:12:58 2023 -0600
Clarify CVE-2023-46604
---
src/security-advisories.data/CVE-2023-46604-announcement.txt | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/security-advisories.data/CVE-2023-46604-announcement.txt
b/src/security-advisories.data/CVE-2023-46604-announcement.txt
index 97f4b80aa..b5157f8bc 100644
--- a/src/security-advisories.data/CVE-2023-46604-announcement.txt
+++ b/src/security-advisories.data/CVE-2023-46604-announcement.txt
@@ -11,9 +11,9 @@ Affected versions:
Description:
-Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may
allow a remote attacker with network access to a broker to run arbitrary shell
commands by manipulating serialized class types in the OpenWire protocol to
cause the broker to instantiate any class on the classpath.
+The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution.
This vulnerability may allow a remote attacker with network access to either a
Java-based OpenWire broker or client to run arbitrary shell commands by
manipulating serialized class types in the OpenWire protocol to cause either
the client or the broker (respectively) to instantiate any class on the
classpath.
-Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or
5.18.3, which fixes this issue.
+Users are recommended to upgrade both brokers and clients to version 5.15.16,
5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
This issue is being tracked as AMQ-9370
