Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN218

_____________________________________________________________________

DATE                : 09/04/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running ActiveMQ Artemis versions prior
                                     to 2.40.0.

=====================================================================
https://lists.apache.org/thread/bg88rc4xj3olo81skq71dkc3rqd1wld6
_____________________________________________________________________

CVE-2025-27391: Apache ActiveMQ Artemis: Passwords leaking from
broker properties in the debug log
Affected versions:

- Apache ActiveMQ Artemis 1.5.1 before 2.40.0


Description:

Insertion of Sensitive Information into Log File vulnerability in
Apache ActiveMQ Artemis. All the values of the broker properties
are logged when the
org.apache.activemq.artemis.core.config.impl.ConfigurationImpl
logger has the debug level enabled.

This issue affects Apache ActiveMQ Artemis: from 1.5.1 before
2.40.0. It can be mitigated by restricting log access to only
trusted users.

Users are recommended to upgrade to version 2.40.0, which fixes
the issue.


Credit:

Rafael Yanez Illescas <ry...@redhat.com> (finder)


References:

https://activemq.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-27391



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================