UNSUBSCRIBE On Fri, Oct 27, 2023 at 2:08 PM Christopher L. Shannon <cshan...@apache.org> wrote:
> Affected versions: > > - Apache ActiveMQ 5.18.0 before 5.18.3 > - Apache ActiveMQ 5.17.0 before 5.17.6 > - Apache ActiveMQ 5.16.0 before 5.16.7 > - Apache ActiveMQ before 5.15.16 > - Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3 > - Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6 > - Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7 > - Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16 > > Description: > > Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability > may allow a remote attacker with network access to a broker to run > arbitrary shell commands by manipulating serialized class types in the > OpenWire protocol to cause the broker to instantiate any class on the > classpath. > > Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or > 5.18.3, which fixes this issue. > > This issue is being tracked as AMQ-9370 > > References: > > https://activemq.apache.org/security-advisories.data/CVE-2023-46604 > https://activemq.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2023-46604 > https://issues.apache.org/jira/browse/AMQ-9370 > >
