In order to provide greater clarity and dedicated focus for our communities, especially our users, the Apache ActiveMQ PMC has decided to establish two distinct Apache Top-Level Projects: Apache ActiveMQ and Apache Artemis.
Both projects are highly active with vibrant communities, and this separation will grant each project better visibility and autonomy. Moving forward, each project will evolve independently with dedicated governance, fostering their unique development paths. This reorganization also presents a significant opportunity for new contributions to both projects.
What does this mean concretely in the coming days? We will operate as two independent Top-Level Projects, each with its own domain (activemq.apache.org and artemis.apache.org). It also means that each project will establish and manage its own dedicated resources, including websites, mailing lists, Slack channels, and issue trackers. These resources will become available in the coming weeks. In the mean-time, development and releases will continue on existing paths.
Stay tuned for more updates,
The Apache ActiveMQ PMC
UPDATE: The new Apache Artemis website is now live. Head there for more details such as mailing list information etc.
CVE-2023-46604 was recently announced and it has caused quite a bit of traffic on the mailing lists and in Jira from users curious about its impact on both ActiveMQ Classic and ActiveMQ Artemis clients and brokers. In short:
activemq-client) are recommended to upgrade (regardless of which broker you're using).New releases for all current branches were made available on the day the CVE was announced:
ActiveMQ Classic:
ActiveMQ Artemis:
As stated in the official CVE description:
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath.
Three things are required to exploit this vulnerability:
String parameter)String parameterThe manipulated command (i.e. #2) can be sent by a client to a broker or from a broker to a client so both are vulnerable.
The ActiveMQ Classic broker ships with a handful of Spring dependencies including org.springframework.context.support.ClassPathXmlApplicationContext which is used to run Spring applications. This class is not only present on the broker, but it is an extremely common client-side dependency as well. It has a constructor which takes a String which can be an HTTP URL pointing to an XML application configuration file across the network.
The only known exploit of this vulnerability uses this ClassPathXmlApplicationContext to load a malicious XML application configuration file from somewhere on the network via HTTP. This malicious XML specifically defines the arbitrary code to be run on the machine with the vulnerability (i.e. broker or client).
ActiveMQ Artemis supports the OpenWire protocol and therefore has dependencies from ActiveMQ Classic for this support. These dependencies include the vulnerable code. However, Artemis doesn't ship Spring so there is currently no known exploit. Regardless, upgrading is still recommended.
]]>CVE-2021-44228 was recently announced and it has caused quite a bit of traffic on the mailing lists and in Jira from users curious about its impact on both ActiveMQ "Classic" and Artemis. In short, CVE-2021-44228 has no impact on any ActiveMQ broker because no ActiveMQ broker uses any version of Log4j2. To reiterate, no action is required to mitigate CVE-2021-44228.
ActiveMQ "Classic" does use Log4j for logging, but the latest versions (i.e. 5.15.15 and 5.16.3) use Log4j 1.2.17 which is not impacted by CVE-2021-44228. This version of Log4j has been used since 5.7.0. The upcoming ActiveMQ 5.17.0 will use Log4j2, but the pull request will be updated to use a later version of Log4j 2.x before merging to mitigate this CVE.
ActiveMQ Artemis does not use Log4j for logging. However, Log4j 1.2.17 is included in the Hawtio-based web console application archive (i.e. web/console.war/WEB-INF/lib). Although this version of Log4j is not impacted by CVE-2021-44228 future versions of Artemis will be updated so that the Log4j jar is no longer included in the web console application archive. See ARTEMIS-3612 for more information on that task.