Hi Colm If you think about man in the middle attack or malicious broker, you are right, that's possible because the issue is on the openwire protocol. However, even if possible, I think it's rare compared to malicious client.
Regards JB On Tue, Nov 7, 2023 at 10:58 AM Colm O hEigeartaigh <cohei...@apache.org> wrote: > > Thanks JB. What's to stop a malicious broker trying to recreate the > vulnerability then by sending a crafted message to a client? > > Colm. > > On Mon, Nov 6, 2023 at 2:53 PM Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > > > > Hi Colm > > > > It's on the broker side, not on the client side. However, the change > > is also on client side as it's on the openwire marshalling (shared > > between the client and the broker). > > > > Regards > > JB > > > > On Mon, Nov 6, 2023 at 3:28 PM Colm O hEigeartaigh <cohei...@apache.org> > > wrote: > > > > > > Hi, > > > > > > Security vendors (e.g. > > > https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEACTIVEMQ-6039483) are > > > flagging CVE-2023-46604 against activemq-client (I guess by looking at > > > the changes to activemq-client > > > https://github.com/apache/activemq/commit/9905e2a5bf9862a049f94ce0a2465b0c7ad52436). > > > However the explanation on > > > https://activemq.apache.org/news/cve-2023-46604 only mentions that the > > > broker as being vulnerable " The vulnerability may allow a remote > > > attacker with network access to a broker to run arbitrary shell > > > commands "... > > > > > > Is a client of ActiveMQ vulnerable to this CVE if for example it > > > parses a malicious message from the broker? Or is it indeed only the > > > broker who is vulnerable? > > > > > > Thanks, > > > > > > Colm.
