Description

While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2.15.0 bypassed policy based access control for the entire session. Production of advisory messages was not subject to access control in error.

Remediation

References

https://mail-archives.apache.org/mod_mbox/activemq-users/202101.mbox/%3CCAH%2BvQmMUNnkiXv2-d3ucdErWOsdnLi6CgnK%2BVfixyJvTgTuYig%40mail.gmail.com%3E

https://security.netapp.com/advisory/ntap-20210827-0002/

https://lists.apache.org/thread.html/rafd5d7cf303772a0118865262946586921a65ebd98fc24f56c812574%40%3Cannounce.apache.org%3E

Related Vulnerabilities

CVE-2022-41919 Vulnerability in npm package fastify

CVE-2022-34190 Vulnerability in maven package eu.markov.jenkins.plugin.mvnmeta:maven-metadata-plugin

CVE-2023-24057 Vulnerability in maven package ca.uhn.hapi.fhir:org.hl7.fhir.r5

CVE-2021-39154 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2016-5004 Vulnerability in maven package org.apache.xmlrpc:xmlrpc

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Mailing List Vendor Advisory Third Party Advisory NVD-CWE-Other