CVE-2018-11775 — Improper Certificate Validation in Apache activemq-client

Description

TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.

How to fix CVE-2018-11775

To remediate CVE-2018-11775, upgrade the affected package to a fixed version below.

—upgrade to 5.15.6-1 or later
—upgrade to 5.15.6 or later

Is CVE-2018-11775 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 5.15.6-1
from 0, < 5.15.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.4	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References (15)

ADVISORYgithub.com/advisories/GHSA-m9w8-v359-9ffr
ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-11775
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-11775
PATCHgithub.com/apache/activemq
WEB