SB2024072339 - Ubuntu update for activemq

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024072339

SB2024072339 - Ubuntu update for activemq

Published: July 23, 2024 Updated: June 20, 2025

Security Bulletin ID SB2024072339
Severity
Critical
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 17% High 17% Medium 33% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) XML Entity Expansion (CVE-ID: CVE-2015-7559)

The vulnerability allows a remote attacker to cause a denial o service (DoS) attack on the tared system.

The vulnerability exists due to the client package exposed a remote shutdown command in the "ActiveMQConnection" class. A remote attacker can use this flaw to cause a DoS condition on the affected system.

2) Improper validation of certificate with host mismatch (CVE-ID: CVE-2018-11775)

The vulnerability allows a remote attacker to perform a MitM attack.

The vulnerability exists due to the Apache ActiveMQ Client does not validate hostname when using SSL/TLS protocol to connect to the Apache ActiveMQ server. A remote attacker can perform a Man-in-the-Middle (MitM) attack and intercept all traffic between Java client and ActiveMQ server.


3) Improper Authentication (CVE-ID: CVE-2020-13920)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects.


4) Improper Authentication (CVE-ID: CVE-2021-26117)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to a logic error in ActiveMQ LDAP login module when configured to to use anonymous access to the LDAP server. A remote attacker can provide a valid username and no password and gain unauthorized access to the system.


5) Deserialization of untrusted data (CVE-ID: CVE-2022-41678)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data in Jolokia. A remote user can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


6) Deserialization of Untrusted Data (CVE-ID: CVE-2023-46604)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data in the OpenWire protocol. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install update from vendor's website.

References