Date: Mon, 15 Jun 2020 13:45:21 +0100 From: Jonathan Gallimore <jgallimore@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2020-11969 Apache TomEE - useJMX attribute on ActiveMQ resource adapter URI causes authenticated JMX port to be open CVE-2020-11969: Apache TomEE - useJMX attribute on ActiveMQ resource adapter URI causes authenticated JMX port to be open Severity: High Vendor: The Apache Software Foundation Versions Affected: Apache TomEE 8.0.0-M1 - 8.0.1 Apache TomEE 7.1.0 - 7.1.2 Apache TomEE 7.0.0-M1 - 7.0.7 Apache TomEE 1.0.0 - 1.7.5 Description: If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. Mitigation: - Upgrade to TomEE 7.0.8 or later - Upgrade to TomEE 7.1.3 or later - Upgrade to TomEE 8.0.2 or later Alternatively, users may wish to remove the useJMX option from the URI (the default is false). - The Apache TomEE team.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.