This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/asf-site by this push:
new f5fc7235d Automatic Site Publish by Buildbot
f5fc7235d is described below
commit f5fc7235df40422fa594a91c25903bee334cf336
Author: buildbot <[email protected]>
AuthorDate: Tue Apr 30 15:09:29 2024 +0000
Automatic Site Publish by Buildbot
---
output/components/classic/security.html | 1 +
.../CVE-2024-32114-announcement.txt | 25 ++++++++++++++++++++++
2 files changed, 26 insertions(+)
diff --git a/output/components/classic/security.html
b/output/components/classic/security.html
index 50add1bee..e8d63a702 100644
--- a/output/components/classic/security.html
+++ b/output/components/classic/security.html
@@ -97,6 +97,7 @@
<p>See the main <a href="../../security-advisories">Security Advisories</a>
page for details for other components and general information such as reporting
new security issues.</p>
<ul>
+ <li><a
href="../../security-advisories.data/CVE-2024-32114-announcement.txt">CVE-2024-32114</a>
- Jolokia and REST API were not secured with default configuration</li>
<li><a
href="../../security-advisories.data/CVE-2023-46604-announcement.txt">CVE-2023-46604</a>
- Unbounded deserialization causes ActiveMQ Classic to be vulnerable to a
remote code execution (RCE) attack</li>
<li><a
href="../../security-advisories.data/CVE-2022-41678-announcement.txt">CVE-2022-41678</a>
- Deserialization vulnerability on Jolokia that allows authenticated users to
perform remote code execution (RCE)</li>
<li><a
href="../../security-advisories.data/CVE-2021-26117-announcement.txt">CVE-2021-26117</a>
- ActiveMQ: LDAP-Authentication does not verify passwords on servers with
anonymous bind</li>
diff --git a/output/security-advisories.data/CVE-2024-32114-announcement.txt
b/output/security-advisories.data/CVE-2024-32114-announcement.txt
new file mode 100644
index 000000000..b39b2036f
--- /dev/null
+++ b/output/security-advisories.data/CVE-2024-32114-announcement.txt
@@ -0,0 +1,25 @@
+Affected versions:
+
+- Apache ActiveMQ 6.x before 6.1.2
+
+Description:
+
+In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web
context (where the Jolokia JMX REST API and the Message REST API are located).
+
+It means that anyone can use these layers without any required authentication.
Potentially, anyone can interact with the broker (using Jolokia JMX REST API)
and/or produce/consume messages or purge/delete destinations (using the Message
REST API).To mitigate, users can update the default conf/jetty.xml
configuration file to add authentication requirement:
+
+<bean id="securityConstraintMapping"
class="org.eclipse.jetty.security.ConstraintMapping">
+ <property name="constraint" ref="securityConstraint" />
+ <property name="pathSpec" value="/" />
+</bean>
+
+Or we encourage users to upgrade to Apache ActiveMQ 6.1.2 where the default
configuration has been updated with authentication by default.
+
+This issue is being tracked as AMQ-9477
+
+References:
+
+https://activemq.apache.org/security-advisories.data/CVE-2024-32114
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2024-32114
+https://issues.apache.org/jira/browse/AMQ-9477
