Description

TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Related links:

• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11775

• http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt

• https://tools.cisco.com/security/center/viewAlert.x?alertId=58905&vs_f=Alert%20RSS&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Apache%20ActiveMQ%20Missing%20TLS%20Hostname%20Verification%20Security%20Bypass%20Vulnerability&vs_k=1&utm_source=dlvr.it&utm_medium=facebook

• https://www.securitytracker.com/id/1041618