Описание
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat AMQ Broker 7 | mqtt-client | Not affected | ||
| Red Hat CodeReady Studio 12 | activemq | Affected | ||
| Red Hat Decision Manager 7 | activemq-artemis | Not affected | ||
| Red Hat JBoss A-MQ 6 | activemq | Out of support scope | ||
| Red Hat JBoss Data Grid 7 | activemq-artemis | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 7 | activemq-artemis | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Continuous Delivery | activemq-artemis | Out of support scope | ||
| Red Hat JBoss Fuse 6 | activemq | Out of support scope | ||
| Red Hat JBoss Fuse Service Works 6 | activemq | Out of support scope | ||
| Red Hat Process Automation 7 | activemq-artemis | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.9 Medium
CVSS3
Связанные уязвимости
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX ...
EPSS
5.9 Medium
CVSS3