Skip to main content

Act Now: Protecting Your ActiveMQ Broker from CVE-2023-46604

By ActiveMQ, CVEs, Security No Comments
You may be aware that a new critical vulnerability has been discovered in ActiveMQ. This was publicly disclosed on Friday 27th October. The details of the CVE are as follows (https://activemq.apache.org/security-advisories.data/CVE-2023-46604): Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. ActiveMQ, by default, exposes a connector using the OpenWire protocol, and this is commonly used by clients to connect to the broker. Unlike HTTP…
Read More

How to manage CVEs in Open Source Software?

By CVEs No Comments
Reducing time, cost, and overall overhead generated by addressing Common Vulnerability Exposures in your software supply chain can be a constant challenge if the organization's stakeholders aren’t aligned on how to address CVEs. As explained during my presentations about “Java and the Open Source ecosystem security”, the lifecycle of a CVE can vary in complexity depending on many internal and external factors in your organization. The way you can handle internal factors is tied to your overall organizational structure, process, and culture, among other factors. But the ones external to you are the ones you need to be aware of…
Read More

Securing Your Business: A Guide to Understanding and Addressing Apache ActiveMQ CVEs

By ActiveMQ, CVEs, Open Source No Comments
In today's digital landscape, businesses and companies encounter a continuous stream of cybersecurity threats, and one such significant threat is Common Vulnerabilities and Exposures (CVEs). These vulnerabilities can potentially jeopardize your systems' security and stability. However, it is important to note that while CVEs are just one aspect of the broader cybersecurity landscape, they hold particular relevance. CVEs provide public data that companies and organizations can use to their advantage in understanding and addressing potential vulnerabilities. To illustrate the concept further, let's explore examples of high, medium, and low-severity CVEs in Apache Active MQ, a popular open-source messaging and integration…
Read More

Java and the Open Source ecosystem security

By CVEs, Security, Spanish, Tribers Tour No Comments
Security in the Open Source ecosystem has continuously grown in priority on the global agenda in the technology industry. Many practices like DevOps, Agile, and standards like ISO/IEC 27001 have contributed over the years to adopt and promote a shift-left approach to security in the industry. The Java ecosystem is not separate from the opportunities and challenges the industry has overcome regarding security. In late 2022 I started to deliver the session “Deep diving into Java ecosystem security with OpenSource and DevSecOps” which provide a glance at how Open Source and the Java ecosystem correlate during the lifecycle of common...
Read More

CVE-2021-44228 – Log4Shell Vulnerability

By CVEs, Tomcat, TomEE No Comments
Introduction If you’ve been following tech news over the last couple of days, you’ll very likely have heard about CVE-2021-44228, or “Log4Shell” as it has become known. This particular vulnerability affects Apache Log4J2, a Java logging framework. Tomcat, TomEE, and ActiveMQ themselves do not ship with log4j2, so running out-of-the-box with their default configuration they are not vulnerable to this issue. However, before you breathe a sigh of relief, you should be aware that applications deployed on either TomEE or Tomcat can include additional Java libraries bundled inside. Any jar file included in a web application’s WEB-INF/lib directory will be…
Read More