Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
This issue has been addressed in the following products: Red Hat Fuse/AMQ 6.3.20 Via RHSA-2023:6849 https://access.redhat.com/errata/RHSA-2023:6849
This issue has been addressed in the following products: RHEL-7 based Middleware Containers Via RHSA-2023:6866 https://access.redhat.com/errata/RHSA-2023:6866
This issue has been addressed in the following products: AMQ 6.3 openshift container image Via RHSA-2023:6877 https://access.redhat.com/errata/RHSA-2023:6877
This issue has been addressed in the following products: AMQ Broker 7.10.5 Via RHSA-2023:6878 https://access.redhat.com/errata/RHSA-2023:6878
This issue has been addressed in the following products: AMQ Broker 7.11.4 Via RHSA-2023:6879 https://access.redhat.com/errata/RHSA-2023:6879
This issue has been addressed in the following products: Red Hat Fuse 7.12.1 Via RHSA-2023:7247 https://access.redhat.com/errata/RHSA-2023:7247
(In reply to errata-xmlrpc from comment #13) > This issue has been addressed in the following products: > > AMQ Broker 7.11.4 > > Via RHSA-2023:6879 https://access.redhat.com/errata/RHSA-2023:6879 "Fixed in Version" field states that the issue is resolved in activemq 5.18.3, activemq 5.17.6, activemq 5.15.16, activemq-openwire-legacy 5.18.3, activemq-openwire-legacy 5.17.6, activemq-openwire-legacy 5.16.7, activemq-openwire-legacy 5.15.16 Comment #13 says the issue is resolved in 7.11.4, but the product download still shows 5.11.0 jar files. One of my customers reached out to me asking why the vulnerability is still there if we say it is fixed. Please help!