After some additional internal discussion we'll be updating the description
of the CVE as well as the details on the ActiveMQ website to revise our
guidance and make this potential exploit more clear.
Thanks for following up!
Justin
On Tue, Nov 7, 2023 at 4:07 AM Colm O hEigeartaigh
wrote:
>
Hi Colm
If you think about man in the middle attack or malicious broker, you
are right, that's possible because the issue is on the openwire
protocol.
However, even if possible, I think it's rare compared to malicious client.
Regards
JB
On Tue, Nov 7, 2023 at 10:58 AM Colm O hEigeartaigh
Thanks JB. What's to stop a malicious broker trying to recreate the
vulnerability then by sending a crafted message to a client?
Colm.
On Mon, Nov 6, 2023 at 2:53 PM Jean-Baptiste Onofré wrote:
>
> Hi Colm
>
> It's on the broker side, not on the client side. However, the change
> is also on
