Thanks JB. What's to stop a malicious broker trying to recreate the vulnerability then by sending a crafted message to a client?
Colm. On Mon, Nov 6, 2023 at 2:53 PM Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > > Hi Colm > > It's on the broker side, not on the client side. However, the change > is also on client side as it's on the openwire marshalling (shared > between the client and the broker). > > Regards > JB > > On Mon, Nov 6, 2023 at 3:28 PM Colm O hEigeartaigh <cohei...@apache.org> > wrote: > > > > Hi, > > > > Security vendors (e.g. > > https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEACTIVEMQ-6039483) are > > flagging CVE-2023-46604 against activemq-client (I guess by looking at > > the changes to activemq-client > > https://github.com/apache/activemq/commit/9905e2a5bf9862a049f94ce0a2465b0c7ad52436). > > However the explanation on > > https://activemq.apache.org/news/cve-2023-46604 only mentions that the > > broker as being vulnerable " The vulnerability may allow a remote > > attacker with network access to a broker to run arbitrary shell > > commands "... > > > > Is a client of ActiveMQ vulnerable to this CVE if for example it > > parses a malicious message from the broker? Or is it indeed only the > > broker who is vulnerable? > > > > Thanks, > > > > Colm.