Lucene search

DebianDEBIAN:DLA-2583-1:724F6

HistoryMar 05, 2021 - 5:05 p.m.

[SECURITY] [DLA 2583-1] activemq security update

2021-03-0517:05:48

lists.debian.org

activemq

security

update

debian 9

cve-2017-15709

cve-2018-11775

cve-2019-0222

cve-2021-26117

message broker

java message service

tls

mitm

mqtt

ldap

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.1

Confidence

Low

EPSS

0.007

Percentile

81.1%

JSON

Debian LTS Advisory DLA-2583-1 [email protected]
https://www.debian.org/lts/security/ Abhijith PA
March 05, 2021 https://wiki.debian.org/LTS

Package : activemq
Version : 5.14.3-3+deb9u2
CVE ID : CVE-2017-15709 CVE-2018-11775 CVE-2019-0222
CVE-2021-26117
Debian Bug : 890352 908950 982590

Multiple security issues were discovered in activemq, a message
broker built around Java Message Service.

CVE-2017-15709

When using the OpenWire protocol in activemq, it was found that 
certain system details (such as the OS and kernel version) are 
exposed as plain text.

CVE-2018-11775

TLS hostname verification when using the Apache ActiveMQ Client 
was missing which could make the client vulnerable to a MITM 
attack between a Java application using the ActiveMQ client and 
the ActiveMQ server. This is now enabled by default.

CVE-2019-0222

Unmarshalling corrupt MQTT frame can lead to broker Out of Memory 
exception making it unresponsive

CVE-2021-26117

The optional ActiveMQ LDAP login module can be configured to use
anonymous access to the LDAP server. The anonymous context is used 
to verify a valid users password in error, resulting in no check 
on the password.

For Debian 9 stretch, these problems have been fixed in version
5.14.3-3+deb9u2.

We recommend that you upgrade your activemq packages.

For the detailed security status of activemq please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/activemq

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian10allmqtt-client< 1.14-1+deb10u1mqtt-client_1.14-1+deb10u1_all.deb
Debian9allactivemq< 5.14.3-3+deb9u2activemq_5.14.3-3+deb9u2_all.deb
Debian9alllibactivemq-java< 5.14.3-3+deb9u2libactivemq-java_5.14.3-3+deb9u2_all.deb
Debian9allmqtt-client< 1.14-1+deb9u1mqtt-client_1.14-1+deb9u1_all.deb
Debian9alllibmqtt-client-java< 1.14-1+deb9u1libmqtt-client-java_1.14-1+deb9u1_all.deb
Debian10alllibmqtt-client-java< 1.14-1+deb10u1libmqtt-client-java_1.14-1+deb10u1_all.deb
Debian9alllibactivemq-java-doc< 5.14.3-3+deb9u2libactivemq-java-doc_5.14.3-3+deb9u2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	all	mqtt-client	< 1.14-1+deb10u1	mqtt-client_1.14-1+deb10u1_all.deb
Debian	9	all	activemq	< 5.14.3-3+deb9u2	activemq_5.14.3-3+deb9u2_all.deb
Debian	9	all	libactivemq-java	< 5.14.3-3+deb9u2	libactivemq-java_5.14.3-3+deb9u2_all.deb
Debian	9	all	mqtt-client	< 1.14-1+deb9u1	mqtt-client_1.14-1+deb9u1_all.deb
Debian	9	all	libmqtt-client-java	< 1.14-1+deb9u1	libmqtt-client-java_1.14-1+deb9u1_all.deb
Debian	10	all	libmqtt-client-java	< 1.14-1+deb10u1	libmqtt-client-java_1.14-1+deb10u1_all.deb
Debian	9	all	libactivemq-java-doc	< 5.14.3-3+deb9u2	libactivemq-java-doc_5.14.3-3+deb9u2_all.deb