[MAVEN:GHSA-836G-5FR5-FGCR] Missing Authentication for Critical Function in Apache TomEE

Severity High

Affected Packages 4

Fixed Packages 4

CVEs 1

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. This affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache TomEE 7.0.0-M1 - 7.0.7, Apache TomEE 1.0.0 - 1.7.5.

Package	Affected Version
pkg:maven/org.apache.tomee/tomee	>= 1.0.0, <= 1.7.5
pkg:maven/org.apache.tomee/tomee	>= 7.0.0-M1, <= 7.0.7
pkg:maven/org.apache.tomee/tomee	>= 7.1.0, <= 7.1.2
pkg:maven/org.apache.tomee/tomee	>= 8.0.0-M1, <= 8.0.1

Package	Fixed Version
pkg:maven/org.apache.tomee/tomee	= 1.7.6
pkg:maven/org.apache.tomee/tomee	= 7.0.8
pkg:maven/org.apache.tomee/tomee	= 7.1.3
pkg:maven/org.apache.tomee/tomee	= 8.0.2

ID: MAVEN:GHSA-836G-5FR5-FGCR
Severity: high
URL: https://github.com/advisories/GHSA-836g-5fr5-fgcr
Published: 2022-02-10T23:07:37
(2 years ago)
Modified: 2023-02-01T05:05:43
(19 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2020-11969
			https://lists.apache.org/thread.html/r85b87478f8aa4751aa3a06e88622e80ffabae376ee7283e147ee56b9@%3Cdev.tomee.apache.org%3E
			https://lists.apache.org/thread.html/rbd23418646dedda70a546331ea1c1d115b8975b7e7dc452d10e2e773%40%3Cdev.tomee.apache.org%3E
			https://lists.apache.org/thread.html/rbd23418646dedda70a546331ea1c1d115b8975b7e7dc452d10e2e773@%3Cannounce.apache.org%3E
			https://lists.apache.org/thread.html/ref088c4732e1a8dd0bbbb96e13ffafcfe65f984238ffa55f438d78fe@%3Cdev.tomee.apache.org%3E
			https://lists.apache.org/thread.html/ref088c4732e1a8dd0bbbb96e13ffafcfe65f984238ffa55f438d78fe@%3Cusers.tomee.apache.org%3E
			http://www.openwall.com/lists/oss-security/2020/12/16/2
			https://github.com/advisories/GHSA-836g-5fr5-fgcr

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.apache.tomee/tomee	org.apache.tomee	tomee	>= 1.0.0 <= 1.7.5
Fixed	pkg:maven/org.apache.tomee/tomee	org.apache.tomee	tomee	= 1.7.6
Affected	pkg:maven/org.apache.tomee/tomee	org.apache.tomee	tomee	>= 7.0.0-M1 <= 7.0.7
Fixed	pkg:maven/org.apache.tomee/tomee	org.apache.tomee	tomee	= 7.0.8
Affected	pkg:maven/org.apache.tomee/tomee	org.apache.tomee	tomee	>= 7.1.0 <= 7.1.2
Fixed	pkg:maven/org.apache.tomee/tomee	org.apache.tomee	tomee	= 7.1.3
Affected	pkg:maven/org.apache.tomee/tomee	org.apache.tomee	tomee	>= 8.0.0-M1 <= 8.0.1
Fixed	pkg:maven/org.apache.tomee/tomee	org.apache.tomee	tomee	= 8.0.2

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date