UBUNTU-CVE-2020-13920

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2020-13920

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-13920.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2020-13920

Related

Published

2020-09-10T19:15:00Z

Modified

2024-10-15T14:07:29Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.

References

Affected packages

Ubuntu:Pro:16.04:LTS / activemq

Package

Name: activemq
Purl: pkg:deb/ubuntu/activemq?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.13.2+dfsg-2ubuntu0.1~esm1

Affected versions

5.*

5.6.0+dfsg1-4+deb8u1ubuntu1

5.6.0+dfsg1-5

5.13.2+dfsg-2

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "5.13.2+dfsg-2ubuntu0.1~esm1",
            "binary_name": "activemq"
        },
        {
            "binary_version": "5.13.2+dfsg-2ubuntu0.1~esm1",
            "binary_name": "libactivemq-java"
        },
        {
            "binary_version": "5.13.2+dfsg-2ubuntu0.1~esm1",
            "binary_name": "libactivemq-java-doc"
        }
    ]
}

Ubuntu:Pro:18.04:LTS / activemq

Package

Name: activemq
Purl: pkg:deb/ubuntu/activemq?arch=src?distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.8-2~18.04.1~esm1

Affected versions

5.*

5.14.5-3

5.15.2-2

5.15.3-2

5.15.8-2~18.04

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "5.15.8-2~18.04.1~esm1",
            "binary_name": "activemq"
        },
        {
            "binary_version": "5.15.8-2~18.04.1~esm1",
            "binary_name": "libactivemq-java"
        }
    ]
}

Ubuntu:20.04:LTS / activemq

Package

Name: activemq
Purl: pkg:deb/ubuntu/activemq?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.15.10-1

5.15.11-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:20.04:LTS / activemq

Package

Name: activemq
Purl: pkg:deb/ubuntu/activemq?arch=src?distro=esm-apps/focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.11-1ubuntu0.1~esm1

Affected versions

5.*

5.15.10-1

5.15.11-1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "5.15.11-1ubuntu0.1~esm1",
            "binary_name": "activemq"
        },
        {
            "binary_version": "5.15.11-1ubuntu0.1~esm1",
            "binary_name": "libactivemq-java"
        }
    ]
}