Flaw in ActiveMQ Artemis OpenWire support
CVE-2021-26118

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache ActiveMQ Artemis
Vendor: CVE Published:; 27 January 2021

Summary

While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2.15.0 bypassed policy based access control for the entire session. Production of advisory messages was not subject to access control in error.

Affected Version(s)

Apache ActiveMQ Artemis < 2.16.0

References

https://mail-archives.apache.org/mod_mbox/activemq-users/...

x_refsource_MISC

https://lists.apache.org/thread.html/rafd5d7cf303772a0118...

mailing-listx_refsource_MLIST

https://security.netapp.com/advisory/ntap-20210827-0002/

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 27, 2021
Vulnerability Reserved
Jan 25, 2021

Credit

Apache ActiveMQ would like to thank Francesco Marchioni (Red Hat) for reporting this issue.

.