A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html "A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code." Mitigation: Upgrade to Apache ActiveMQ 5.15.13
{
"unresolved_ranges": [
{
"source": "CPE_RANGE",
"cpes": [
"cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*"
],
"vendor_product": "oracle:communications_diameter_signaling_router",
"extracted_events": [
{
"introduced": "8.0.0"
},
{
"last_affected": "8.5.0"
}
]
},
{
"source": "CPE_RANGE",
"cpes": [
"cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*"
],
"vendor_product": "oracle:communications_element_manager",
"extracted_events": [
{
"introduced": "8.2.0"
},
{
"last_affected": "8.2.4.0"
}
]
},
{
"source": "CPE_RANGE",
"cpes": [
"cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*"
],
"vendor_product": "oracle:communications_session_report_manager",
"extracted_events": [
{
"introduced": "8.0.0"
},
{
"last_affected": "8.2.2"
}
]
},
{
"source": "CPE_RANGE",
"cpes": [
"cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*"
],
"vendor_product": "oracle:communications_session_route_manager",
"extracted_events": [
{
"introduced": "8.0.0"
},
{
"last_affected": "8.2.2"
}
]
},
{
"source": "CPE_STRING",
"cpes": [
"cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*"
],
"vendor_product": "oracle:enterprise_repository",
"extracted_events": [
{
"introduced": "11.1.1.7.0"
},
{
"last_affected": "11.1.1.7.0"
}
]
},
{
"source": "CPE_STRING",
"cpes": [
"cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*"
],
"vendor_product": "oracle:flexcube_private_banking",
"extracted_events": [
{
"introduced": "12.0.0"
},
{
"last_affected": "12.0.0"
},
{
"introduced": "12.1.0"
},
{
"last_affected": "12.1.0"
}
]
}
]
}