The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6910-1 advisory.

    Chess Hazlett discovered that Apache ActiveMQ incorrectly handled certain commands. A remote attacker     could possibly use this issue to terminate the program, resulting in a denial of service. This issue only     affected Ubuntu 16.04 LTS. (CVE-2015-7559)

    Peter Stckli discovered that Apache ActiveMQ incorrectly handled hostname verification. A remote     attacker could possibly use this issue to perform a person-in-the-middle attack. This issue only affected     Ubuntu 16.04 LTS. (CVE-2018-11775)

    Jonathan Gallimore and Colm  higeartaigh discovered that Apache ActiveMQ incorrectly handled     authentication in certain functions. A remote attacker could possibly use this issue to perform a person-     in-the-middle attack. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
    (CVE-2020-13920)

    Gregor Tudan discovered that Apache ActiveMQ incorrectly handled LDAP authentication. A remote attacker     could possibly use this issue to acquire unauthenticated access. This issue only affected Ubuntu 16.04     LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-26117)

    It was discovered that Apache ActiveMQ incorrectly handled authentication. A remote attacker could     possibly use this issue to run arbitrary code. (CVE-2022-41678)

    It was discovered that Apache ActiveMQ incorrectly handled deserialization. A remote attacker could     possibly use this issue to run arbitrary shell commands. (CVE-2023-46604)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3657 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-3657-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Markus Koschany     November 20, 2023                             https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : activemq     Version        : 5.15.16-0+deb10u1     CVE ID         : CVE-2020-13920 CVE-2021-26117 CVE-2023-46604     Debian Bug     : 1054909 982590

    Several security vulnerabilities have been discovered in ActiveMQ, a Java     message broker.

    CVE-2020-13920

     Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI      registry and binds the server to the jmxrmi entry. It is possible to connect      to the registry without authentication and call the rebind method to rebind      jmxrmi to something else. If an attacker creates another server to proxy the      original, and bound that, he effectively becomes a man in the middle and is      able to intercept the credentials when an user connects.

    CVE-2021-26117

     The optional ActiveMQ LDAP login module can be configured to use anonymous      access to the LDAP server.

    CVE-2023-46604

     The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution.
     This vulnerability may allow a remote attacker with network access to either a      Java-based OpenWire broker or client to run arbitrary shell commands by      manipulating serialized class types in the OpenWire protocol to cause either      the client or the broker (respectively) to instantiate any class on the     classpath.

    For Debian 10 buster, these problems have been fixed in version     5.15.16-0+deb10u1.

    We recommend that you upgrade your activemq packages.

    For the detailed security status of activemq please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/activemq

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: This is a digitally signed message part

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Multiple security issues were discovered in activemq, a message broker built around Java Message Service.

CVE-2017-15709

When using the OpenWire protocol in activemq, it was found that certain system details (such as the OS and kernel version) are exposed as plain text.

CVE-2018-11775

TLS hostname verification when using the Apache ActiveMQ Client was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.

CVE-2019-0222

Unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive

CVE-2021-26117

The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. The anonymous context is used to verify a valid users password in error, resulting in no check on the password.

For Debian 9 stretch, these problems have been fixed in version 5.14.3-3+deb9u2.

We recommend that you upgrade your activemq packages.

For the detailed security status of activemq please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/activemq

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Apache ActiveMQ running on the remote host is 5.x prior to 5.15.14 or 5.16.x prior to 5.16.1. It is, therefore, affected by multiple vulnerabilities including the following: 

  - An authentication bypass vulnerability. The optional ActiveMQ LDAP login module can be configured   to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ prior to versions 5.16.1 and   5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on   the password. (CVE-2021-26117)

  - A cross-site scripting (XSS) vulnerability exists in Apache ActiveMQ due to improper validation of   user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this,   by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser   session. (CVE-2020-13947)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
203693	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS : Apache ActiveMQ vulnerabilities (USN-6910-1)	Nessus	Ubuntu Local Security Checks	critical
186019	Debian dla-3657 : activemq - security update	Nessus	Debian Local Security Checks	critical
147182	Debian DLA-2583-1 : activemq security update	Nessus	Debian Local Security Checks	high
146087	Apache ActiveMQ 5.x < 5.15.14 / 5.16.x < 5.16.1 Multiple Vulnerabilities	Nessus	CGI abuses	high

Detections

Analytics

CVE-2021-26117

high

Tenable Plugins

critical

critical

high

high