Re: Impact of CVE-2023-46604 on activemq-client
After some additional internal discussion we'll be updating the description of the CVE as well as the details on the ActiveMQ website to revise our guidance and make this potential exploit more clear. Thanks for following up! Justin On Tue, Nov 7, 2023 at 4:07 AM Colm O hEigeartaigh wrote: > Thanks JB. What's to stop a malicious broker trying to recreate the > vulnerability then by sending a crafted message to a client? > > Colm. > > On Mon, Nov 6, 2023 at 2:53 PM Jean-Baptiste Onofré > wrote: > > > > Hi Colm > > > > It's on the broker side, not on the client side. However, the change > > is also on client side as it's on the openwire marshalling (shared > > between the client and the broker). > > > > Regards > > JB > > > > On Mon, Nov 6, 2023 at 3:28 PM Colm O hEigeartaigh > wrote: > > > > > > Hi, > > > > > > Security vendors (e.g. > > > https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEACTIVEMQ-6039483) are > > > flagging CVE-2023-46604 against activemq-client (I guess by looking at > > > the changes to activemq-client > > > > https://github.com/apache/activemq/commit/9905e2a5bf9862a049f94ce0a2465b0c7ad52436 > ). > > > However the explanation on > > > https://activemq.apache.org/news/cve-2023-46604 only mentions that the > > > broker as being vulnerable " The vulnerability may allow a remote > > > attacker with network access to a broker to run arbitrary shell > > > commands "... > > > > > > Is a client of ActiveMQ vulnerable to this CVE if for example it > > > parses a malicious message from the broker? Or is it indeed only the > > > broker who is vulnerable? > > > > > > Thanks, > > > > > > Colm. > >
Re: Impact of CVE-2023-46604 on activemq-client
Hi Colm If you think about man in the middle attack or malicious broker, you are right, that's possible because the issue is on the openwire protocol. However, even if possible, I think it's rare compared to malicious client. Regards JB On Tue, Nov 7, 2023 at 10:58 AM Colm O hEigeartaigh wrote: > > Thanks JB. What's to stop a malicious broker trying to recreate the > vulnerability then by sending a crafted message to a client? > > Colm. > > On Mon, Nov 6, 2023 at 2:53 PM Jean-Baptiste Onofré wrote: > > > > Hi Colm > > > > It's on the broker side, not on the client side. However, the change > > is also on client side as it's on the openwire marshalling (shared > > between the client and the broker). > > > > Regards > > JB > > > > On Mon, Nov 6, 2023 at 3:28 PM Colm O hEigeartaigh > > wrote: > > > > > > Hi, > > > > > > Security vendors (e.g. > > > https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEACTIVEMQ-6039483) are > > > flagging CVE-2023-46604 against activemq-client (I guess by looking at > > > the changes to activemq-client > > > https://github.com/apache/activemq/commit/9905e2a5bf9862a049f94ce0a2465b0c7ad52436). > > > However the explanation on > > > https://activemq.apache.org/news/cve-2023-46604 only mentions that the > > > broker as being vulnerable " The vulnerability may allow a remote > > > attacker with network access to a broker to run arbitrary shell > > > commands "... > > > > > > Is a client of ActiveMQ vulnerable to this CVE if for example it > > > parses a malicious message from the broker? Or is it indeed only the > > > broker who is vulnerable? > > > > > > Thanks, > > > > > > Colm.
Re: Impact of CVE-2023-46604 on activemq-client
Thanks JB. What's to stop a malicious broker trying to recreate the vulnerability then by sending a crafted message to a client? Colm. On Mon, Nov 6, 2023 at 2:53 PM Jean-Baptiste Onofré wrote: > > Hi Colm > > It's on the broker side, not on the client side. However, the change > is also on client side as it's on the openwire marshalling (shared > between the client and the broker). > > Regards > JB > > On Mon, Nov 6, 2023 at 3:28 PM Colm O hEigeartaigh > wrote: > > > > Hi, > > > > Security vendors (e.g. > > https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEACTIVEMQ-6039483) are > > flagging CVE-2023-46604 against activemq-client (I guess by looking at > > the changes to activemq-client > > https://github.com/apache/activemq/commit/9905e2a5bf9862a049f94ce0a2465b0c7ad52436). > > However the explanation on > > https://activemq.apache.org/news/cve-2023-46604 only mentions that the > > broker as being vulnerable " The vulnerability may allow a remote > > attacker with network access to a broker to run arbitrary shell > > commands "... > > > > Is a client of ActiveMQ vulnerable to this CVE if for example it > > parses a malicious message from the broker? Or is it indeed only the > > broker who is vulnerable? > > > > Thanks, > > > > Colm.
Re: Impact of CVE-2023-46604 on activemq-client
Hi Colm It's on the broker side, not on the client side. However, the change is also on client side as it's on the openwire marshalling (shared between the client and the broker). Regards JB On Mon, Nov 6, 2023 at 3:28 PM Colm O hEigeartaigh wrote: > > Hi, > > Security vendors (e.g. > https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEACTIVEMQ-6039483) are > flagging CVE-2023-46604 against activemq-client (I guess by looking at > the changes to activemq-client > https://github.com/apache/activemq/commit/9905e2a5bf9862a049f94ce0a2465b0c7ad52436). > However the explanation on > https://activemq.apache.org/news/cve-2023-46604 only mentions that the > broker as being vulnerable " The vulnerability may allow a remote > attacker with network access to a broker to run arbitrary shell > commands "... > > Is a client of ActiveMQ vulnerable to this CVE if for example it > parses a malicious message from the broker? Or is it indeed only the > broker who is vulnerable? > > Thanks, > > Colm.
Impact of CVE-2023-46604 on activemq-client
Hi, Security vendors (e.g. https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEACTIVEMQ-6039483) are flagging CVE-2023-46604 against activemq-client (I guess by looking at the changes to activemq-client https://github.com/apache/activemq/commit/9905e2a5bf9862a049f94ce0a2465b0c7ad52436). However the explanation on https://activemq.apache.org/news/cve-2023-46604 only mentions that the broker as being vulnerable " The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands "... Is a client of ActiveMQ vulnerable to this CVE if for example it parses a malicious message from the broker? Or is it indeed only the broker who is vulnerable? Thanks, Colm.