Bug 1629083 (CVE-2018-11775)

Summary: CVE-2018-11775 activemq: ActiveMQ Client Missing TLS Hostname Verification
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agrimm, aileenc, alazarot, anstephe, bmaxwell, bmcclain, cdewolf, chazlett, csutherl, darran.lofthouse, dblechte, dfediuck, dimitris, dosoudil, drieden, eedri, etirelli, gvarsami, ibek, java-sig-commits, jawilson, jcoleman, jochrist, jshepherd, kconner, krathod, kverlaen, ldimaggi, lgao, mgoldboi, michal.skrivanek, myarboro, nwallace, paradhya, pdrozd, pgier, pslavice, psotirop, puntogil, rnetuka, rrajasek, rsvoboda, rsynek, rwagner, rzhang, sbonazzo, sdaley, sherold, s, sthorger, tcunning, tdawson, tkirby, tmielke, twalsh, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ActiveMQ 5.15.6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-15 00:51:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1629087    
Bug Blocks: 1629088    

Description Pedro Sampaio 2018-09-14 20:07:05 UTC 
TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.

References:

http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt
Comment 1 Pedro Sampaio 2018-09-14 20:18:40 UTC 
Created activemq tracking bugs for this issue:

Affects: fedora-all [bug 1629087]
Comment 3 Doran Moppert 2018-11-19 06:09:30 UTC 
Upstream commits:

https://github.com/apache/activemq/commit/bde7097fb
https://github.com/apache/activemq/commit/02971a40e
Comment 6 Joshua Padman 2019-05-15 22:57:30 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Fuse Service Works 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 9 Joshua Padman 2019-06-12 02:54:58 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss A-MQ 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 10 Joshua Padman 2019-08-12 01:27:10 UTC 
This vulnerability is out of security support scope for the following products:
 * JBoss Developer Studio 11

Please refer to https://access.redhat.com/node/4027141 for more details.
Comment 11 errata-xmlrpc 2019-11-14 21:18:00 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.5.0

Via RHSA-2019:3892 https://access.redhat.com/errata/RHSA-2019:3892
Comment 12 Product Security DevOps Team 2019-11-15 00:51:13 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-11775