Description

When using the OpenWire protocol in ActiveMQ versions 5.14.0 to 5.15.2 it was found that certain system details (such as the OS and kernel version) are exposed as plain text.

Remediation

References

https://lists.apache.org/thread.html/03f91b1fb85686a848cee6b90112cf6059bd1b21b23bacaa11a962e1%40%3Cdev.activemq.apache.org%3E

https://lists.apache.org/thread.html/2b5c0039197a4949f29e1e2c9441ab38d242946b966f61c110808bcc%40%3Ccommits.activemq.apache.org%3E

https://lists.apache.org/thread.html/2b6f04a552c6ec2de6563c2df3bba813f0fe9c7e22cce27b7829db89%40%3Cdev.activemq.apache.org%3E

https://lists.apache.org/thread.html/3f1e41bc9153936e065ca3094bd89ff8167ad2d39ac0b410f24382d2%40%3Cgitbox.activemq.apache.org%3E

https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E

https://lists.apache.org/thread.html/c0ec53b72b3240b187afb1cf67e4309a9e5f607282010aa196734814%40%3Cgitbox.activemq.apache.org%3E

https://lists.apache.org/thread.html/fcbe6ad00f1de142148c20d813fae3765dc4274955e3e2f3ca19ff7b%40%3Cdev.activemq.apache.org%3E

https://lists.debian.org/debian-lts-announce/2021/03/msg00005.html

Related Vulnerabilities

CVE-2022-31069 Vulnerability in npm package @finastra/nestjs-proxy

CVE-2015-3271 Vulnerability in maven package org.apache.tika:tika-server

CVE-2013-4590 Vulnerability in maven package org.apache.tomcat:jasper

CVE-2018-1000402 Vulnerability in maven package org.jenkins-ci.plugins:codedeploy

CVE-2012-0818 Vulnerability in maven package org.jboss.resteasy:resteasy-jaxrs

Severity

Low

Classification

CWE-200 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N