TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default. References: http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt
Created activemq tracking bugs for this issue: Affects: fedora-all [bug 1629087]
Upstream commits: https://github.com/apache/activemq/commit/bde7097fb https://github.com/apache/activemq/commit/02971a40e
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Fuse Service Works 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This vulnerability is out of security support scope for the following product: * Red Hat JBoss A-MQ 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This vulnerability is out of security support scope for the following products: * JBoss Developer Studio 11 Please refer to https://access.redhat.com/node/4027141 for more details.
This issue has been addressed in the following products: Red Hat Fuse 7.5.0 Via RHSA-2019:3892 https://access.redhat.com/errata/RHSA-2019:3892
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-11775