Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAGRgoZiPvmkmdrS1JjMCK-qPiJ+zATuv19jTTjz=orE_z-pYBg@mail.gmail.com>
Date: Mon, 15 Jun 2020 13:45:21 +0100
From: Jonathan Gallimore <jgallimore@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2020-11969 Apache TomEE - useJMX attribute on ActiveMQ resource
 adapter URI causes authenticated JMX port to be open

CVE-2020-11969: Apache TomEE - useJMX attribute on ActiveMQ resource
adapter URI causes authenticated JMX port to be open

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache TomEE 8.0.0-M1 - 8.0.1
Apache TomEE 7.1.0 - 7.1.2
Apache TomEE 7.0.0-M1 - 7.0.7
Apache TomEE 1.0.0 - 1.7.5

Description:
If Apache TomEE is configured to use the embedded ActiveMQ broker, and the
broker URI includes the useJMX=true parameter, a JMX port is opened on TCP
port 1099, which does not include authentication.

Mitigation:
- Upgrade to TomEE 7.0.8 or later
- Upgrade to TomEE 7.1.3 or later
- Upgrade to TomEE 8.0.2 or later

Alternatively, users may wish to remove the useJMX option from the URI (the
default is false).

- The Apache TomEE team.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.