This is an automated email from the ASF dual-hosted git repository.
cshannon pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq.git
The following commit(s) were added to refs/heads/main by this push:
new 1ae283210b [#] SECURITY.md updates (#2034)
1ae283210b is described below
commit 1ae283210b99a478750417274ebe63ab77038c12
Author: Matt Pavlovich <[email protected]>
AuthorDate: Fri May 22 06:48:32 2026 -0500
[#] SECURITY.md updates (#2034)
* [#] SECURITY.md updates
---------
Co-authored-by: Christopher L. Shannon <[email protected]>
---
SECURITY.md | 38 +++++++++++++++++++++++++++-----------
1 file changed, 27 insertions(+), 11 deletions(-)
diff --git a/SECURITY.md b/SECURITY.md
index abb7649122..7f82baf278 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,13 +2,13 @@
## Supported Versions
-| Version | Supported |
-| ------- | ------------------ |
-| 6.2.x | :white_check_mark: |
-| 6.1.x | :x: |
-| 6.0.x | :x: |
-| 5.19.x | :white_check_mark: |
-| <= 5.18.x | :x: |
+| Version | Supported | Note |
+| ------- | ------------------ | ---- |
+| 6.2.x | :white_check_mark: | |
+| 6.1.x | :x: | |
+| 6.0.x | :x: | |
+| 5.19.x | :white_check_mark: | Except for EOL dependencies: Spring and
Jetty |
+| <= 5.18.x | :x: | |
## Reporting a Vulnerability
@@ -33,6 +33,10 @@ Apache ActiveMQ's flexibility and wide ranging set of
capabilities and features
itself to being exposed to security vulnerabilities, especially ones from
third-party
projects such as Spring and Jolokia.
+Apache ActiveMQ project recommends applying defense-in-depth and
security-first to provide layers of security to environments running production
workloads.
+
+Layers of security provide valuable options to prevent attacks, and to provide
a buffer for when vulnerabilities at any layer are reported to provide
reasonable time to test and apply fixes without impacting business-critical
messaging traffic.
+
Users are advised to secure their environments
1. The web console is not designed to be exposed to the public Internet.
@@ -51,11 +55,9 @@ Users are advised to secure their environments
8. Limit inbound and outbound network connectivity to and from an ActiveMQ
server.
-## Upcoming ActiveMQ Security Improvements
+## ActiveMQ Security Improvement Project
-Apache ActiveMQ projects recommends applying defense-in-depth and
security-first to provide layers of security to environments running production
workloads.
-
-Layers of security provide valuable options to prevent attacks, and to provide
a buffer for when vulnerabilities at any layer are reported to provide
reasonable time to test and apply fixes without impacting business-critical
messaging traffic.
+The Apache ActiveMQ team has initiated a security hardening project to move
from a default configuration that is geared for developer testing and learning
to a secured-by-default stance.
1. Enhancements to the SSL authentication plugin to fix wantAuth mode
@@ -70,3 +72,17 @@ Layers of security provide valuable options to prevent
attacks, and to provide a
6. Add allow/deny lists to transport connectors to limit IP addresses
7. [Done] VM Transport creation blocks the XBean factory by default
+
+## Security vs Features
+
+AI code scanning tools often mistaken designed features as a security issue.
It is the responsibility of the reporter to review AI output and verify if it's
a real issue. There has been a large number of invalid submissions that could
be avoided by simply reviewing the JMS spec and the features of the broker
itself.
+
+Some of the most common reported examples:
+
+1. JMS Selectors - An optional query parameter designed to filter messages on
a queue or topic that is not security related. It is used by clients to consume
a subset of messages on the destination instead of all messages. However, if a
client is authorized for a destination it is always free to consume all the
messages if it chooses so by simply not setting the selector. Therefore any
reports showing issues with selectors allowing the consumption of extra
messages would be considered a [...]
+
+2. ClientId - A non-secret unique identifier used to provide
once-and-only-once delivery that are designed to be used between connections
and be deleted. The JMS spec specifically allows any authorized connection to
use the same clientid as long as it isn't currently in use. Some protocols,
such as MQTT, also allow link stealing and taking over if in use.
+
+3. Durable Subscriptions - The JMS spec allows authorized connections to
connect to any existing durable subscription (combination of client id and
subscription name) as long as it is offline. Authorized clients are allowed to
delete the durable subscriptions as well even if they didn't create it.
+
+4. BlobMessages - Blob message support is a side-channel for moving large
messages with the JMS API by routing the large message through a different
endpoint such as http, sftp or scp. Clients using BlobMessages are responsible
for validating the authenticity and validity of the uri provided by the
received message before taking any action such as downloading or deleting the
file. ActiveMQ recommends using SSL secured transports, with two-way SSL as the
most preferred.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
