Headline
Red Hat Security Advisory 2022-6292-01
Red Hat Security Advisory 2022-6292-01 - AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat AMQ Broker 7.8.7 serves as a replacement for Red Hat AMQ Broker 7.8.6, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include a html injection vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256==================================================================== Red Hat Security AdvisorySynopsis: Important: Red Hat AMQ Broker 7.8.7 release and security updateAdvisory ID: RHSA-2022:6292-01Product: Red Hat JBoss AMQAdvisory URL: https://access.redhat.com/errata/RHSA-2022:6292Issue date: 2022-09-01CVE Names: CVE-2022-35278====================================================================1. Summary:Red Hat AMQ Broker 7.8.7 is now available from the Red Hat Customer Portal.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.2. Description:AMQ Broker is a high-performance messaging implementation based on ActiveMQArtemis. It uses an asynchronous journal for fast message persistence, andsupports multiple languages, protocols, and platforms.This release of Red Hat AMQ Broker 7.8.7 serves as a replacement for RedHat AMQ Broker 7.8.6, and includes security and bug fixes, andenhancements. For further information, refer to the release notes linked toin the References section.Security Fix(es):* artemis-plugin: activemq-artemis: AMQ Broker web console HTML Injection(CVE-2022-35278)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage(s) listed in the References section.3. Solution:Before applying the update, back up your existing installation, includingall applications, configuration files, databases and database settings, andso on.The References section of this erratum contains a download link (you mustlog in to download the update).4. Bugs fixed (https://bugzilla.redhat.com/):2109805 - CVE-2022-35278 activemq-artemis: AMQ Broker web console HTML Injection5. References:https://access.redhat.com/security/cve/CVE-2022-35278https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.broker&version=7.8.7https://access.redhat.com/documentation/en-us/red_hat_amq/6. Contact:The Red Hat security contact is <[email protected]>. More contactdetails at https://access.redhat.com/security/team/contact/Copyright 2022 Red Hat, Inc.-----BEGIN PGP SIGNATURE-----Version: GnuPG v1iQIVAwUBYxCI3NzjgjWX9erEAQhXPQ//evF+wS+qIbMzTyHsDPwN9HUHkEsqe0ZfyS6InsjK8VPVDNx96Q0OthS6A/qCYaHFCPZCZvaBYuj8KT2odH1VqRTT9wLa9y/f0hFvqMtUDmCu7IBMhwmUkzRH/TlM6LAxzlvUhkuSEIXCIIaFE+Rif+zcF4qYbnZVAvXzSIP1f2HGOXgVgxgoYR0zI0wldCwq+29w4+BJGcjGd2mk5Fwsc2KeBY0PAYCHPFtkPnnV1LkFMzPHrFwYHC8GwtO5kUBpUlOb4Abd82hXIRH5zJVOLUWyjA4OdU6bhkbmkcyABoUzNRVfTt3TOwZ7F7eCAj9Kleke9S0+5H3a5rPY4pOOUXodRaAZjkhLh4twQIkvtgqeidA7cVbbCRDcIJDuJb+cWxrlxdAYh1OWBavlyGaIvK6vdL5dv57AT6diUX49udNsC77ncSmCySt1kt+tGNxEhmPYBSeqUsjaap8ikuABr7qoqoxKLcQSrq2O9sYMICg71C7CnKyyJJB6FUa7uh+kq670h/+aDGK8MExiGUEdMQeNSfWYd0MOPJ6TtyApkyR12EqP+DhBLpy4JM173DDNACpduMFp4pBtskpaWL0lRfa5N4tS3G8YKW2iR/MEQFKfPYy673S/bgMy3mW+cn84FrbAhXWVbOG9/4rKzAhJWE1/FiseOajUxb10bkQYL7E=Q4jI-----END PGP SIGNATURE-------RHSA-announce mailing [email protected]://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Red Hat Security Advisory 2022-6916-01 - AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat AMQ Broker 7.10.1 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include a html injection vulnerability.
Red Hat AMQ Broker 7.10.1 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3121: gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation * CVE-2022-24823: netty: world readable temporary file containing sensitive data * CVE-2022-33980: apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults * CVE-2022-35278: activemq-artemis: AMQ Broker web console HTML Injection
Red Hat AMQ Broker 7.8.7 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-35278: activemq-artemis: AMQ Broker web console HTML Injection
In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue.
In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue.