Man-in-the-Middle (MitM)

Affecting org.apache.activemq:activemq-amqp artifact, versions [5.0.0,5.15.6)

Overview

org.apache.activemq:activemq-amqp is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM) attacks due to missing TLS hostname verification. An attacker could perform Man-in-the-Middle attack between a Java application using the ActiveMQ client and the ActiveMQ server.

Remediation

Upgrade org.apache.activemq:activemq-amqp to version 5.15.6 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

7.4
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Credit
Peter StAckli
CVE
CVE-2018-11775
CWE
CWE-300
Snyk ID
SNYK-JAVA-ORGAPACHEACTIVEMQ-72362
Disclosed
31 Aug, 2018
Published
10 Sep, 2018