| Description: | Summary:
The remote host is missing an update for the Debian 'activemq' package(s) announced via the DLA-2583-1 advisory.
Vulnerability Insight:
Multiple security issues were discovered in activemq, a message broker built around Java Message Service.
CVE-2017-15709
When using the OpenWire protocol in activemq, it was found that certain system details (such as the OS and kernel version) are exposed as plain text.
CVE-2018-11775
TLS hostname verification when using the Apache ActiveMQ Client was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.
CVE-2019-0222
Unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive
CVE-2021-26117
The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. The anonymous context is used to verify a valid users password in error, resulting in no check on the password.
For Debian 9 stretch, these problems have been fixed in version 5.14.3-3+deb9u2.
We recommend that you upgrade your activemq packages.
For the detailed security status of activemq please refer to its security tracker page at: [link moved to references]
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references]
Affected Software/OS:
'activemq' package(s) on Debian 9.
Solution:
Please install the updated package(s).
CVSS Score:
5.8
CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:N
|
