Man-in-the-Middle (MitM)

Affecting org.apache.activemq:activemq-amqp artifact, versions [5.0.0,5.15.6)

high severity

Overview

org.apache.activemq:activemq-amqp is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM) attacks due to missing TLS hostname verification. An attacker could perform Man-in-the-Middle attack between a Java application using the ActiveMQ client and the ActiveMQ server.

Remediation

Upgrade org.apache.activemq:activemq-amqp to version 5.15.6 or higher.

References

Do your applications use this vulnerable package?

Credit
Peter StAckli
CVE
CVE-2018-11775
CWE
CWE-300
Snyk ID
SNYK-JAVA-ORGAPACHEACTIVEMQ-72362
Disclosed
31 Aug, 2018
Published
10 Sep, 2018