[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 15 Jun 2020 13:45:21 +0100
From: Jonathan Gallimore <jgallimore@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2020-11969 Apache TomEE - useJMX attribute on ActiveMQ resource
adapter URI causes authenticated JMX port to be open
CVE-2020-11969: Apache TomEE - useJMX attribute on ActiveMQ resource
adapter URI causes authenticated JMX port to be open
Severity: High
Vendor: The Apache Software Foundation
Versions Affected:
Apache TomEE 8.0.0-M1 - 8.0.1
Apache TomEE 7.1.0 - 7.1.2
Apache TomEE 7.0.0-M1 - 7.0.7
Apache TomEE 1.0.0 - 1.7.5
Description:
If Apache TomEE is configured to use the embedded ActiveMQ broker, and the
broker URI includes the useJMX=true parameter, a JMX port is opened on TCP
port 1099, which does not include authentication.
Mitigation:
- Upgrade to TomEE 7.0.8 or later
- Upgrade to TomEE 7.1.3 or later
- Upgrade to TomEE 8.0.2 or later
Alternatively, users may wish to remove the useJMX option from the URI (the
default is false).
- The Apache TomEE team.
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
