Debian Security Advisory
DLA-2583-1 activemq -- LTS security update
- Date Reported:
- 08 Mar 2021
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 890352, Bug 908950, Bug 982590.
In Mitre's CVE dictionary: CVE-2017-15709, CVE-2018-11775, CVE-2019-0222, CVE-2021-26117.
- More information:
Multiple security issues were discovered in activemq, a message broker built around Java Message Service.
When using the OpenWire protocol in activemq, it was found that certain system details (such as the OS and kernel version) are exposed as plain text.
TLS hostname verification when using the Apache ActiveMQ Client was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.
Unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive
The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. The anonymous context is used to verify a valid users password in error, resulting in no check on the password.
For Debian 9 stretch, these problems have been fixed in version 5.14.3-3+deb9u2.
We recommend that you upgrade your activemq packages.
For the detailed security status of activemq please refer to its security tracker page at: https://security-tracker.debian.org/tracker/activemq
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS