You may be aware that a new critical vulnerability has been discovered in ActiveMQ. This was publicly disclosed on Friday 27th October. The details of the CVE are as follows (https://activemq.apache.org/security-advisories.data/CVE-2023-46604): Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. ActiveMQ, by default, exposes a connector using the OpenWire protocol, and this is commonly used by clients to connect to the broker. Unlike HTTP…
Reducing time, cost, and overall overhead generated by addressing Common Vulnerability Exposures in your software supply chain can be a constant challenge if the organization’s stakeholders aren’t aligned on how to address CVEs. As explained during my presentations about “Java and the Open Source ecosystem security”, the lifecycle of a CVE can vary in complexity depending on many internal and external factors in your organization. The way you can handle internal factors is tied to your overall organizational structure, process, and culture, among other factors. But the ones external to you are the ones you need to be aware of…
In today’s digital landscape, businesses and companies encounter a continuous stream of cybersecurity threats, and one such significant threat is Common Vulnerabilities and Exposures (CVEs). These vulnerabilities can potentially jeopardize your systems’ security and stability. However, it is important to note that while CVEs are just one aspect of the broader cybersecurity landscape, they hold particular relevance. CVEs provide public data that companies and organizations can use to their advantage in understanding and addressing potential vulnerabilities. To illustrate the concept further, let’s explore examples of high, medium, and low-severity CVEs in Apache Active MQ, a popular open-source messaging and integration…
Introduction If you’ve been following tech news over the last couple of days, you’ll very likely have heard about CVE-2021-44228, or “Log4Shell” as it has become known. This particular vulnerability affects Apache Log4J2, a Java logging framework. Tomcat, TomEE, and ActiveMQ themselves do not ship with log4j2, so running out-of-the-box with their default configuration they are not vulnerable to this issue. However, before you breathe a sigh of relief, you should be aware that applications deployed on either TomEE or Tomcat can include additional Java libraries bundled inside. Any jar file included in a web application’s WEB-INF/lib directory will be…