Source: activemq
Version: 5.17.6+dfsg-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for activemq.

We need some help here to assess the CVEs in particular for older
versions, as there was a substantial batch of CVEs assigned for
activemq recently. Thus as well not filling individual bugs but make
sure you can update to next upstream version including fixes for those
in forky.

CVE-2025-66168[0]:
| WARNING:  Users of 6.x should upgrade to 6.2.4 or later as the fix
| was missed in previous 6.x releases.  See the  following for more
| details:  https://activemq.apache.org/security-
| advisories.data/CVE-2026-40046-announcement.txt
| https://www.cve.org/CVERecord?id=CVE-2026-40046     Original Report:
| Apache ActiveMQ does not properly validate the remaining length
| field which may lead to an overflow during the decoding of malformed
| packets. When this integer overflow occurs, ActiveMQ may incorrectly
| compute the total Remaining Length and subsequently misinterpret the
| payload as multiple MQTT control packets which makes the broker
| susceptible to unexpected behavior when interacting with non-
| compliant clients. This behavior violates the MQTT v3.1.1
| specification, which restricts Remaining Length to a maximum of 4
| bytes. The scenario occurs on established connections after the
| authentication process. Brokers that are not enabling mqtt transport
| connectors are not impacted.  This issue affects Apache ActiveMQ:
| before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0  Users are recommended to
| upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.


CVE-2026-42253[1]:
| Improper Neutralization of Input During Web Page Generation ('Cross-
| site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ
| Web.  The MessageServlet in the ActiveMQ web console API copies
| every JMS message property into an HTTP response header without any
| validation. This can allow overwriting and injecting security
| headers by setting them on JMS messages that are returned by the
| servlet.  This issue affects Apache ActiveMQ: before 5.19.7, from
| 6.0.0 before 6.2.6; Apache ActiveMQ Web: before 5.19.7, from 6.0.0
| before 6.2.6.  Users are recommended to upgrade to version 5.19.7 or
| 6.2.6, which fixes the issue. The MessageServlet has now been
| deprecated and disabled by default.


CVE-2026-42588[2]:
| Improper Input Validation, Improper Control of Generation of Code
| ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache
| ActiveMQ All, Apache ActiveMQ.  Apache ActiveMQ Classic exposes the
| Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The
| default Jolokia access policy permits exec operations on all
| ActiveMQ MBeans (org.apache.activemq:*), including
| BrokerService.addNetworkConnector(String).  An authenticated
| attacker can invoke these operations with a crafted discovery URI
| that triggers the VM transport's brokerConfig parameter using the
| "masterslave:// " URL which can allow loading a Spring XML
| application context using ResourceXmlApplicationContext. Because
| Spring's ResourceXmlApplicationContext instantiates all singleton
| beans before the BrokerService validates the configuration,
| arbitrary code execution occurs on the broker's JVM through bean
| factory methods such as Runtime.exec(). This issue affects Apache
| ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache
| ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache
| ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.  Users are
| recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the
| issue.


CVE-2026-45505[3]:
| Improper Input Validation, Improper Control of Generation of Code
| ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache
| ActiveMQ All, Apache ActiveMQ.   Non-parenthesized discovery
| wrappers such as `masterslave:vm://...,...` and `static:vm://...`
| incorrectly pass validation allowing bypass of fix
| in CVE-2026-34197.   Original description from CVE-2026-34197.
| Apache ActiveMQ exposes the Jolokia JMX-HTTP bridge at /api/jolokia/
| on the web console. The default Jolokia access policy permits exec
| operations on all ActiveMQ MBeans (org.apache.activemq:*), including
| BrokerService.addNetworkConnector(String) and
| BrokerService.addConnector(String). An authenticated attacker can
| invoke these operations with a crafted discovery UR that triggers
| the VM transport's brokerConfig parameter to load a remote Spring
| XML application context using ResourceXmlApplicationContext. Because
| Spring's ResourceXmlApplicationContext instantiates all singleton
| beans before the BrokerService validates the configuration,
| arbitrary code execution occurs on the broker's JVM through bean
| factory methods such as Runtime.exec().  This issue affects Apache
| ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache
| ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache
| ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.  Users are
| recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the
| issue.


CVE-2026-46605[4]:
| Incomplete authorization by Apache ActiveMQ server before versions
| v6.2.6 and v5.19.7 allows authenticated connections to remove
| existing destinations with proper permissions.  This issue affects
| Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6;
| Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache
| ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.  Users are
| recommended to upgrade to version v6.2.6 or v5.19.7, which fixes the
| issue.


CVE-2026-49157[5]:
| Incorrect Default Permissions vulnerability in Apache ActiveMQ.
| This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before
| 6.2.6.  The default Jolokia authorization settings granted non-admin
| (low-privilege) web-login accounts access to Jolokia operations
| which allowed executing broker management operations meant for
| admins such as addQueue and removeQueue.  Users are recommended to
| upgrade to version 6.2.6 or 5.19.7, which fixes the issue.


CVE-2026-49270[6]:
| Exposure of Sensitive Information Through Metadata vulnerability in
| Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All.
| Brokers that are configured with a network connector with
| syncDurableSubs set to true, are vulnerable to an unauthenticated
| attacker who can receive a list of all durable topic subscriptions
| in the broker, including client identifiers, subscription names,
| topic destinations, and JMS selector expressions, by sending a
| BrokerInfo command. The broker incorrectly responds without first
| ensuring the connection is authenticated. This issue affects Apache
| ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache
| ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ
| All: before 5.19.7, from 6.0.0 before 6.2.6.  Users are recommended
| to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.


CVE-2026-49432[7]:
| Improper Input Validation vulnerability in Apache ActiveMQ, Apache
| ActiveMQ All, Apache ActiveMQ Stomp.  A remote unauthenticated peer
| that can reach an exposed STOMP connector can trigger denial-of-
| service behavior by sending a negative content-length. For the NIO
| STOMP transport, an attacker can keep streaming body bytes and grow
| the per-connection command buffer beyond configured limits to cause
| OOM. For the blocking STOMP protocol, an error will instead force
| abnormal transport exception handling for the affected connection
| and closure. This issue affects Apache ActiveMQ: before 5.19.8, from
| 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0
| before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0
| before 6.2.7.     Users are recommended to upgrade to version 6.2.7
| or 5.19.8, which fixes the issue.


CVE-2026-49434[8]:
| Improper Input Validation vulnerability in Apache ActiveMQ Broker,
| Apache ActiveMQ, Apache ActiveMQ All.  An attacker that has access
| to publish or modify entries in LDAP that match the configured
| searchBase and searchFilter can instantiate denied transports inside
| the broker JVM. This can be used to fetch an attacker URL and spawn
| a second BrokerService inside the same JVM. This issue affects
| Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7;
| Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache
| ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7.   Users are
| recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the
| issue.


CVE-2026-49877[9]:
| Improper Authorization vulnerability in Apache ActiveMQ.  An
| authenticated low-privilege Web Console user by default can access
| /admin/* paths in the Web Console. The default Jetty settings
| incorrectly did not limit those paths to only admins. This issue
| affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.
| Users are recommended to upgrade to version 6.2.7 or 5.19.8, which
| fixes the issue.


CVE-2026-50734[10]:
| Memory Allocation with Excessive Size Value vulnerability in Apache
| ActiveMQ Client, Apache ActiveMQ, Apache ActiveMQ All.  An
| unauthenticated network attacker can cause a broker DoS by sending a
| crafted WireFormatInfo frame with a malicious large size value. The
| value is not validate and causes the broker to attempt allocation
| during pre-auth negotiation which can trigger OOM and crash the
| broker. This issue affects Apache ActiveMQ Client: before 5.19.8,
| from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0
| before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before
| 6.2.7.  Users are recommended to upgrade to version 6.2.7 or 5.19.8,
| which fixes the issue.


CVE-2026-50750[11]:
| Denial of Service via Out of Memory vulnerability in Apache ActiveMQ
| Broker, Apache ActiveMQ, Apache ActiveMQ All.  Following the fix for
| CVE-2026-49270 an unauthenticated attacker can now cause broker OOM
| by sending an repeated BrokerInfo commands without sending a
| ConnectionInfo, until the broker will crash with OOM. This issue
| affects Apache ActiveMQ Broker: from 5.19.7 before 5.19.8, from
| 6.2.6 before 6.2.7; Apache ActiveMQ: from 5.19.7 before 5.19.8, from
| 6.2.6 before 6.2.7; Apache ActiveMQ All: from 5.19.7 before 5.19.8,
| from 6.2.6 before 6.2.7.  Users are recommended to upgrade to
| version 6.2.7, which fixes the issue.


CVE-2026-52760[12]:
| Improper Neutralization of Input During Web Page Generation ('Cross-
| site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ
| Web Console.  The browse page in the web console renders a message
| Id directly without sanitization. This allows an authenticated
| producer to send a message with a JMS message ID that has
| been crafted to contain HTML/JavaScript such that when an
| administrator browses the queue in the Web Console, the payload
| executes in their browser. This issue affects Apache ActiveMQ:
| before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Web Console:
| before 5.19.8, from 6.0.0 before 6.2.7.  Users are recommended to
| upgrade to version 6.2.7 or 5.19.8, which fixes the issue.


CVE-2026-53916[13]:
| Memory Allocation with Excessive Size Value vulnerability in Apache
| ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp.   An
| unauthenticated client that opens a STOMP NIO connection can send
| header bytes that never terminate which makes the broker buffer them
| without limit, exhausting the JVM heap.  This issue affects Apache
| ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ
| All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp:
| before 5.19.8, from 6.0.0 before 6.2.7.  Users are recommended to
| upgrade to version 6.2.7 or 5.19.8, which fixes the issue.


CVE-2026-53917[14]:
| Memory Allocation with Excessive Size Value vulnerability in Apache
| ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Client, Apache
| ActiveMQ Broker.  An authenticated user can cause a broker DoS by
| sending a crafted OpenWire Message with a large encoded size value
| for the map. OpenWire message property maps are unmarshaled without
| size validation which can trigger OOM and crash the broker. This
| issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before
| 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7;
| Apache ActiveMQ Client: before 5.19.8, from 6.0.0 before 6.2.7;
| Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7.
| Users are recommended to upgrade to version 6.2.7 or 5.19.8, which
| fixes the issue.


CVE-2026-54475[15]:
| Missing Authorization vulnerability in Apache ActiveMQ Broker,
| Apache ActiveMQ All, Apache ActiveMQ.  Apache ActiveMQ Classic
| temporary destinations are expected to be isolated to the connection
| that created them. The isolation can be broken as this is only
| checked in the client, allowing a different connection to consume
| from another connection's temporary destination. This issue affects
| Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7;
| Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache
| ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.  Users are
| recommended to upgrade to version 6.2.7, which fixes the issue.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-66168
    https://www.cve.org/CVERecord?id=CVE-2025-66168
[1] https://security-tracker.debian.org/tracker/CVE-2026-42253
    https://www.cve.org/CVERecord?id=CVE-2026-42253
[2] https://security-tracker.debian.org/tracker/CVE-2026-42588
    https://www.cve.org/CVERecord?id=CVE-2026-42588
[3] https://security-tracker.debian.org/tracker/CVE-2026-45505
    https://www.cve.org/CVERecord?id=CVE-2026-45505
[4] https://security-tracker.debian.org/tracker/CVE-2026-46605
    https://www.cve.org/CVERecord?id=CVE-2026-46605
[5] https://security-tracker.debian.org/tracker/CVE-2026-49157
    https://www.cve.org/CVERecord?id=CVE-2026-49157
[6] https://security-tracker.debian.org/tracker/CVE-2026-49270
    https://www.cve.org/CVERecord?id=CVE-2026-49270
[7] https://security-tracker.debian.org/tracker/CVE-2026-49432
    https://www.cve.org/CVERecord?id=CVE-2026-49432
[8] https://security-tracker.debian.org/tracker/CVE-2026-49434
    https://www.cve.org/CVERecord?id=CVE-2026-49434
[9] https://security-tracker.debian.org/tracker/CVE-2026-49877
    https://www.cve.org/CVERecord?id=CVE-2026-49877
[10] https://security-tracker.debian.org/tracker/CVE-2026-50734
    https://www.cve.org/CVERecord?id=CVE-2026-50734
[11] https://security-tracker.debian.org/tracker/CVE-2026-50750
    https://www.cve.org/CVERecord?id=CVE-2026-50750
[12] https://security-tracker.debian.org/tracker/CVE-2026-52760
    https://www.cve.org/CVERecord?id=CVE-2026-52760
[13] https://security-tracker.debian.org/tracker/CVE-2026-53916
    https://www.cve.org/CVERecord?id=CVE-2026-53916
[14] https://security-tracker.debian.org/tracker/CVE-2026-53917
    https://www.cve.org/CVERecord?id=CVE-2026-53917
[15] https://security-tracker.debian.org/tracker/CVE-2026-54475
    https://www.cve.org/CVERecord?id=CVE-2026-54475

Regards,
Salvatore
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
 Please use
[email protected] for discussions and questions.

Reply via email to