org.apache.activemq:activemq-client 5.12.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.activemq:activemq-client package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
C Deserialization of Untrusted Data org.apache.activemq:activemq-client is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `OpenWire` protocol. An attacker with network access to a broker or client can run arbitrary shell commands by manipulating serialized class types, causing the affected broker or client to instantiate any class on the classpath. How to fix Deserialization of Untrusted Data? Upgrade `org.apache.activemq:activemq-client` to version 5.15.16, 5.16.7, 5.17.6, 5.18.3 or higher.	[,5.15.16)[5.16.0,5.16.7)[5.17.0,5.17.6)[5.18.0,5.18.3)
L Denial of Service (DoS) org.apache.activemq:activemq-client is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation. Affected versions of this package are vulnerable to Denial of Service (DoS) in the `ActiveMQConnection` class. An attacker could use this flaw to achieve denial of service on a client. How to fix Denial of Service (DoS)? Upgrade `org.apache.activemq:activemq-client` to version 5.14.5 or higher.	[5.0.0,5.14.5)
H Man-in-the-Middle (MitM) org.apache.activemq:activemq-client is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation. Affected versions of this package are vulnerable to Man-in-the-Middle (MitM) due to missing TLS hostname verification. How to fix Man-in-the-Middle (MitM)? Upgrade `org.apache.activemq:activemq-client` to version 5.15.6 or higher.	[5.0.0,5.15.6)
C Arbitrary Code Execution org.apache.activemq:activemq-client is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation. Affected versions of this package are vulnerable to Arbitrary Code Execution. Apache ActiveMQ doesn't restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object. How to fix Arbitrary Code Execution? Upgrade `org.apache.activemq:activemq-client` to version 5.11.3, 5.12.2 or higher.	[,5.11.3)[5.12.0,5.12.2)

Vulnerability

Vulnerable Version

Deserialization of Untrusted Data

org.apache.activemq:activemq-client is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the OpenWire protocol. An attacker with network access to a broker or client can run arbitrary shell commands by manipulating serialized class types, causing the affected broker or client to instantiate any class on the classpath.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.activemq:activemq-client to version 5.15.16, 5.16.7, 5.17.6, 5.18.3 or higher.

[,5.15.16)[5.16.0,5.16.7)[5.17.0,5.17.6)[5.18.0,5.18.3)

Denial of Service (DoS)

org.apache.activemq:activemq-client is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the ActiveMQConnection class. An attacker could use this flaw to achieve denial of service on a client.

How to fix Denial of Service (DoS)?

Upgrade org.apache.activemq:activemq-client to version 5.14.5 or higher.

[5.0.0,5.14.5)

Man-in-the-Middle (MitM)

org.apache.activemq:activemq-client is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM) due to missing TLS hostname verification.

How to fix Man-in-the-Middle (MitM)?

Upgrade org.apache.activemq:activemq-client to version 5.15.6 or higher.

[5.0.0,5.15.6)

Arbitrary Code Execution

org.apache.activemq:activemq-client is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

Affected versions of this package are vulnerable to Arbitrary Code Execution. Apache ActiveMQ doesn't restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.

How to fix Arbitrary Code Execution?

Upgrade org.apache.activemq:activemq-client to version 5.11.3, 5.12.2 or higher.

[,5.11.3)[5.12.0,5.12.2)

org.apache.activemq:activemq-client@5.12.0 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?