| Package | activemq |
|---|---|
| Version | 5.14.3-3+deb9u3 (stretch) 5.15.16-0+deb10u2 (buster) |
| Related CVEs | CVE-2023-46604 CVE-2022-41678 |
Two vulnerabilities were discovered in the activemq suite of packages. Activemq is the java-based flexible & powerful open source multi-protocol message broker.
CVE-2022-41678
Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.
The fix for this problem has been added to both the Debian Stretch and the Debian Buster packages.
CVE-2023-46604
Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath.
The fix for this problem has been added to the Debian Stretch package. The Debian Buster package was fixed already
in a previous update, in version 5.15.16-0+deb10u1.
For Debian 10 buster, these problems have been fixed in version 5.15.16-0+deb10u2.
For Debian 9 stretch, these problems have been fixed in version 5.14.3-3+deb9u3.
We recommend that you upgrade your activemq packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.