TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.
Fix Resolution: The vendor has issued a fix (5.15.6).
The vendor advisory is available at:
http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt
Step up your Open Source Security Game with WhiteSource here
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within 7 days. Thank you for your contributions.
CVE-2018-11775 - High Severity Vulnerability
Vulnerable Library - activemq-client-5.14.5.jar
The ActiveMQ Client implementation
path: /ddf/distribution/ddf/target/dependencies/apache-karaf-4.2.2/system/org/apache/activemq/activemq-client/5.14.5/activemq-client-5.14.5.jar
Library home page: http://activemq.apache.org/activemq-client
Dependency Hierarchy: - :x: **activemq-client-5.14.5.jar** (Vulnerable Library)Vulnerability Details
TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.
Publish Date: 2018-09-10
URL: CVE-2018-11775
CVSS 3 Score Details (7.4)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: http://www.securitytracker.com/id/1041618
Fix Resolution: The vendor has issued a fix (5.15.6). The vendor advisory is available at: http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt
Step up your Open Source Security Game with WhiteSource here