You may be aware that a new critical vulnerability has been discovered in ActiveMQ. This was publicly disclosed on Friday 27th October. The details of the CVE are as follows (https://activemq.apache.org/security-advisories.data/CVE-2023-46604): Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. ActiveMQ, by default, exposes a connector using the OpenWire protocol, and this is commonly used by clients to connect to the broker. Unlike HTTP…
Read More
Security in the Open Source ecosystem has continuously grown in priority on the global agenda in the technology industry. Many practices like DevOps, Agile, and standards like ISO/IEC 27001 have contributed over the years to adopt and promote a shift-left approach to security in the industry. The Java ecosystem is not separate from the opportunities and challenges the industry has overcome regarding security. In late 2022 I started to deliver the session “Deep diving into Java ecosystem security with OpenSource and DevSecOps” which provide a glance at how Open Source and the Java ecosystem correlate during the lifecycle of common...
Read More