This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/asf-site by this push:
new f52efdc15 Automatic Site Publish by Buildbot
f52efdc15 is described below
commit f52efdc157601a4f8281c1798888501f22ce623a
Author: buildbot <[email protected]>
AuthorDate: Wed Nov 22 13:59:16 2023 +0000
Automatic Site Publish by Buildbot
---
output/news/cve-2023-46604.html | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/output/news/cve-2023-46604.html b/output/news/cve-2023-46604.html
index 99b0153ef..efcd9e87d 100644
--- a/output/news/cve-2023-46604.html
+++ b/output/news/cve-2023-46604.html
@@ -96,25 +96,26 @@
<h4 id="summary">Summary</h4>
-<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2023-46604";>CVE-2023-46604</a> was
recently announced and it has caused quite a bit of traffic on the mailing
lists and in Jira from users curious about its impact on both “Classic” and
Artemis clients and brokers. In short:</p>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2023-46604";>CVE-2023-46604</a> was
recently announced and it has caused quite a bit of traffic on the mailing
lists and in Jira from users curious about its impact on both ActiveMQ Classic
and ActiveMQ Artemis clients and brokers. In short:</p>
<ul>
- <li><strong>Users of both “Classic” and Artemis brokers are recommended to
upgrade.</strong></li>
+ <li><strong>Users of both ActiveMQ Classic and ActiveMQ Artemis brokers are
recommended to upgrade.</strong></li>
<li><strong>Users of any Java-based OpenWire client (e.g. Maven dependency
on <code class="language-plaintext highlighter-rouge">activemq-client</code>)
are recommended to upgrade (regardless of which broker you’re
using).</strong></li>
</ul>
<p>New releases for all current branches were made available on the day the
CVE was announced:</p>
-<p>“Classic”:</p>
+<p>ActiveMQ Classic:</p>
<ul>
- <li><a
href="https://activemq.apache.org/activemq-5015016-release";>5.15.16</a> (last
release from this branch)</li>
- <li><a
href="https://activemq.apache.org/activemq-5016007-release";>5.16.7</a> (last
release from this branch)</li>
- <li><a
href="https://activemq.apache.org/activemq-5017006-release";>5.17.6</a></li>
+ <li><a
href="https://activemq.apache.org/activemq-6000000-release";>6.0.0</a></li>
<li><a
href="https://activemq.apache.org/activemq-5018003-release";>5.18.3</a></li>
+ <li><a
href="https://activemq.apache.org/activemq-5017006-release";>5.17.6</a></li>
+ <li><a
href="https://activemq.apache.org/activemq-5016007-release";>5.16.7</a> (last
release from this branch)</li>
+ <li><a
href="https://activemq.apache.org/activemq-5015016-release";>5.15.16</a> (last
release from this branch)</li>
</ul>
-<p>Artemis:</p>
+<p>ActiveMQ Artemis:</p>
<ul>
<li><a
href="https://activemq.apache.org/components/artemis/download/";>2.31.2</a></li>
@@ -132,21 +133,21 @@
<ol>
<li>Network access</li>
- <li>A manipulated OpenWire “command” (used to instantiate an arbitrary class
on the classpath with a <code class="language-plaintext
highlighter-rouge">String</code> parameter)</li>
+ <li>A manipulated OpenWire command (used to instantiate an arbitrary class
on the classpath with a <code class="language-plaintext
highlighter-rouge">String</code> parameter)</li>
<li>A class on the classpath which can execute arbitrary code simply by
instantiating it with a <code class="language-plaintext
highlighter-rouge">String</code> parameter</li>
</ol>
<p>The manipulated command (i.e. #2) can be sent by a client to a broker or
from a broker to a client so <strong>both</strong> are vulnerable.</p>
-<h4 id="classic-details">“Classic” Details</h4>
+<h4 id="activemq-classic-details">ActiveMQ Classic Details</h4>
-<p>The “Classic” broker ships with a handful of Spring dependencies including
<a
href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html";><code
class="language-plaintext
highlighter-rouge">org.springframework.context.support.ClassPathXmlApplicationContext</code></a>
which is used to run Spring applications. This class is not only present on
the broker, but it is an extremely common client-side dependen [...]
+<p>The ActiveMQ Classic broker ships with a handful of Spring dependencies
including <a
href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html";><code
class="language-plaintext
highlighter-rouge">org.springframework.context.support.ClassPathXmlApplicationContext</code></a>
which is used to run Spring applications. This class is not only present on
the broker, but it is an extremely common client-side d [...]
<p>The only known exploit of this vulnerability uses this <code
class="language-plaintext
highlighter-rouge">ClassPathXmlApplicationContext</code> to load a malicious
XML application configuration file from somewhere on the network via HTTP. This
malicious XML specifically defines the arbitrary code to be run on the machine
with the vulnerability (i.e. broker or client).</p>
-<h4 id="artemis-details">Artemis Details</h4>
+<h4 id="activemq-artemis-details">ActiveMQ Artemis Details</h4>
-<p>Artemis supports the OpenWire protocol and therefore has dependencies from
“Classic” for this support. These dependencies include the vulnerable code.
However, Artemis doesn’t ship Spring so there is currently no known exploit.
Regardless, upgrading is still recommended.</p>
+<p>ActiveMQ Artemis supports the OpenWire protocol and therefore has
dependencies from ActiveMQ Classic for this support. These dependencies include
the vulnerable code. However, Artemis doesn’t ship Spring so there is currently
no known exploit. Regardless, upgrading is still recommended.</p>
</div>
</div>
