Описание
Improper Certificate Validation in Apache activemq-client
TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2018-11775
- https://github.com/apache/activemq/commit/02971a40e281713a8397d3a1809c164b594abfbb
- https://github.com/apache/activemq/commit/bde7097fb8173cf871827df7811b3865679b963d
- https://access.redhat.com/errata/RHSA-2019:3892
- https://github.com/advisories/GHSA-m9w8-v359-9ffr
- https://issues.apache.org/jira/browse/AMQ-7047
- https://lists.apache.org/thread.html/03f91b1fb85686a848cee6b90112cf6059bd1b21b23bacaa11a962e1@%3Cdev.activemq.apache.org%3E
- https://lists.apache.org/thread.html/2b5c0039197a4949f29e1e2c9441ab38d242946b966f61c110808bcc@%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/fcbe6ad00f1de142148c20d813fae3765dc4274955e3e2f3ca19ff7b@%3Cdev.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rb698ed085f79e56146ca24ab359c9ef95846618675ea1ef402e04a6d@%3Ccommits.activemq.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/03/msg00005.html
- http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt
Пакеты
org.apache.activemq:activemq-client
< 5.15.6
5.15.6
Связанные уязвимости
TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.
TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.
TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.
TLS hostname verification when using the Apache ActiveMQ Client before ...
Уязвимость программной платформы Apache ActiveMQ, связанная с ошибками в настройках безопасности, позволяющая нарушителю реализовать атаку типа «человек посередине»