TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6910-1 advisory.

    Chess Hazlett discovered that Apache ActiveMQ incorrectly handled certain commands. A remote attacker     could possibly use this issue to terminate the program, resulting in a denial of service. This issue only     affected Ubuntu 16.04 LTS. (CVE-2015-7559)

    Peter Stckli discovered that Apache ActiveMQ incorrectly handled hostname verification. A remote     attacker could possibly use this issue to perform a person-in-the-middle attack. This issue only affected     Ubuntu 16.04 LTS. (CVE-2018-11775)

    Jonathan Gallimore and Colm  higeartaigh discovered that Apache ActiveMQ incorrectly handled     authentication in certain functions. A remote attacker could possibly use this issue to perform a person-     in-the-middle attack. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
    (CVE-2020-13920)

    Gregor Tudan discovered that Apache ActiveMQ incorrectly handled LDAP authentication. A remote attacker     could possibly use this issue to acquire unauthenticated access. This issue only affected Ubuntu 16.04     LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-26117)

    It was discovered that Apache ActiveMQ incorrectly handled authentication. A remote attacker could     possibly use this issue to run arbitrary code. (CVE-2022-41678)

    It was discovered that Apache ActiveMQ incorrectly handled deserialization. A remote attacker could     possibly use this issue to run arbitrary shell commands. (CVE-2023-46604)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Multiple security issues were discovered in activemq, a message broker built around Java Message Service.

CVE-2017-15709

When using the OpenWire protocol in activemq, it was found that certain system details (such as the OS and kernel version) are exposed as plain text.

CVE-2018-11775

TLS hostname verification when using the Apache ActiveMQ Client was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.

CVE-2019-0222

Unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive

CVE-2021-26117

The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. The anonymous context is used to verify a valid users password in error, resulting in no check on the password.

For Debian 9 stretch, these problems have been fixed in version 5.14.3-3+deb9u2.

We recommend that you upgrade your activemq packages.

For the detailed security status of activemq please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/activemq

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component:

  - An unspecified vulnerability in the Enterprise Manager Base Platform component of   Oracle Enterprise Manager Products Suite (subcomponent: Connector Framework (Apache CXF)),   which could allow an unauthenticated, remote attacker to compromise   Enterprise Manager Base Platform. (CVE-2018-8039)

  - An unspecified vulnerability in the Oracle Enterprise Manager Base Platform component   of Oracle Enterprise Manager Products Suite (subcomponent: Valid Session (Apache ActiveMQ)),   which could allow an unauthenticated, remote attacker to compromise   Oracle Enterprise Manager Base Platform. (CVE-2019-0222)

  - An unspecified vulnerability in the Enterprise Manager Base Platform component of   Oracle Enterprise Manager Products Suite (subcomponent: Discovery Framework (OpenSSL)), which   could allow and unauthenticated, remote attacker to compromise   Enterprise Manager Base Platform. (CVE-2019-1559)

The version of Apache ActiveMQ running on the remote host is 5.x prior to 5.15.6. It is, therefore, affected by a flaw related to TLS hostname verification and ActiveMQ Client that allows man-in-the-middle attacks.

ID	Name	Product	Family	Severity
203693	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS : Apache ActiveMQ vulnerabilities (USN-6910-1)	Nessus	Ubuntu Local Security Checks	critical
147182	Debian DLA-2583-1 : activemq security update	Nessus	Debian Local Security Checks	high
126775	Oracle Enterprise Manager Cloud Control (Jul 2019 CPU)	Nessus	Misc.	high
117483	Apache ActiveMQ Client 5.x < 5.15.6 TLS Hostname Verification Weakness	Nessus	CGI abuses	high

Detections

Analytics

CVE-2018-11775

high

Tenable Plugins

critical

high

high

high