CVE-2018-11775
First published: Mon Sep 10 2018(Updated: )
Apache ActiveMQ Client could allow a remote attacker to conduct a man-in-the-middle attack, caused by a missing TLS hostname verification. An attacker could exploit this vulnerability to launch a man-in-the-middle attack between a Java application using the ActiveMQ client and the ActiveMQ server.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache ActiveMQ | <5.15.6 | |
| Oracle Enterprise Repository | =12.1.3.0.0 | |
| Oracle FLEXCUBE Private Banking | =2.0.0.0 | |
| Oracle FLEXCUBE Private Banking | =2.2.0.1 | |
| Oracle FLEXCUBE Private Banking | =12.0.1.0 | |
| Oracle FLEXCUBE Private Banking | =12.0.3.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0.0 | |
| maven/org.apache.activemq:activemq-client | <5.15.6 | 5.15.6 |
| redhat/ActiveMQ | <5.15.6 | 5.15.6 |
| debian/activemq | 5.16.1-1 5.17.2+dfsg-2 5.17.6+dfsg-1 | |
| IBM Security Directory Suite VA | <=8.0.1-8.0.1.19 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2018-11775 https://nvd.nist.gov/vuln/detail/CVE-2018-11775
- https://bugzilla.redhat.com/show_bug.cgi?id=1629083
- https://access.redhat.com/errata/RHSA-2019:3892
- https://access.redhat.com/security/cve/cve-2018-11775
- http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt
- http://www.securityfocus.com/bid/105335
- http://www.securitytracker.com/id/1041618
- https://lists.apache.org/thread.html/03f91b1fb85686a848cee6b90112cf6059bd1b21b23bacaa11a962e1@%3Cdev.activemq.apache.org%3E
- https://lists.apache.org/thread.html/2b5c0039197a4949f29e1e2c9441ab38d242946b966f61c110808bcc@%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/fcbe6ad00f1de142148c20d813fae3765dc4274955e3e2f3ca19ff7b@%3Cdev.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rb698ed085f79e56146ca24ab359c9ef95846618675ea1ef402e04a6d@%3Ccommits.activemq.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/03/msg00005.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://nvd.nist.gov/vuln/detail/CVE-2018-11775
- https://github.com/advisories/GHSA-m9w8-v359-9ffr (Advisory)
- https://github.com/apache/activemq/commit/02971a40e281713a8397d3a1809c164b594abfbb
- https://github.com/apache/activemq/commit/bde7097fb8173cf871827df7811b3865679b963d
- https://issues.apache.org/jira/browse/AMQ-7047
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1629087
- https://github.com/apache/activemq/commit/bde7097fb
- https://github.com/apache/activemq/commit/02971a40e
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/node/4027141
- https://launchpad.net/bugs/cve/CVE-2018-11775
- https://git-wip-us.apache.org/repos/asf?p=activemq.git;a=commit;h=bde7097fb8173cf871827df7811b3865679b963d
- https://git-wip-us.apache.org/repos/asf?p=activemq.git;a=commit;h=02971a40e281713a8397d3a1809c164b594abfbb
- https://security-tracker.debian.org/tracker/CVE-2018-11775
- https://lists.apache.org/thread.html/03f91b1fb85686a848cee6b90112cf6059bd1b21b23bacaa11a962e1%40%3Cdev.activemq.apache.org%3E
- https://lists.apache.org/thread.html/2b5c0039197a4949f29e1e2c9441ab38d242946b966f61c110808bcc%40%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/fcbe6ad00f1de142148c20d813fae3765dc4274955e3e2f3ca19ff7b%40%3Cdev.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rb698ed085f79e56146ca24ab359c9ef95846618675ea1ef402e04a6d%40%3Ccommits.activemq.apache.org%3E
- https://exchange.xforce.ibmcloud.com/vulnerabilities/149705
- https://www.ibm.com/support/pages/node/7001693 (Advisory)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11775
- https://ubuntu.com/security/CVE-2018-11775
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2018-11775.
What is the severity level of CVE-2018-11775?
CVE-2018-11775 has a severity level of 7.4 (High).
What is the affected software for CVE-2018-11775?
The affected software for CVE-2018-11775 includes Apache ActiveMQ Client before version 5.15.6, Oracle Enterprise Repository version 12.1.3.0.0, Oracle FLEXCUBE Private Banking versions 2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0, and IBM Security Directory Suite VA up to version 8.0.1-8.0.1.19.
What is the impact of the vulnerability CVE-2018-11775?
The vulnerability CVE-2018-11775 allows a remote attacker to conduct a man-in-the-middle attack between a Java application using the ActiveMQ client and the ActiveMQ server.
How can I fix the vulnerability CVE-2018-11775?
To fix the vulnerability CVE-2018-11775, update the Apache ActiveMQ Client to version 5.15.6 or later.
- collector/redhat-cve
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-m9w8-v359-9ffr
- alias/CVE-2018-11775
- collector/github-advisory
- agent/author
- agent/first-publish-date
- agent/remedy
- agent/type
- agent/severity
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/description
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- collector/nvd-cve
- source/NVD
- agent/references
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/usn-cve
- source/Ubuntu
- vendor/apache
- canonical/apache activemq
- vendor/oracle
- canonical/oracle enterprise repository
- version/oracle enterprise repository/12.1.3.0.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/2.0.0.0
- version/oracle flexcube private banking/2.2.0.1
- version/oracle flexcube private banking/12.0.1.0
- version/oracle flexcube private banking/12.0.3.0
- version/oracle flexcube private banking/12.1.0.0
- package-manager/maven
- package-manager/redhat
- package-manager/debian
- vendor/ibm
- canonical/ibm security directory suite va
- version/ibm security directory suite va/8.0.1-8.0.1.19