From 31ead057ee38fd627d8a991d00d5b44d1ad49f3d Mon Sep 17 00:00:00 2001 From: Matt Pavlovich Date: Thu, 21 May 2026 09:04:26 -0500 Subject: [PATCH 1/5] [#] SECURITY.md updates --- SECURITY.md | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index abb7649122d..2a93bc5d7f0 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,13 +2,13 @@ ## Supported Versions -| Version | Supported | -| ------- | ------------------ | -| 6.2.x | :white_check_mark: | -| 6.1.x | :x: | -| 6.0.x | :x: | -| 5.19.x | :white_check_mark: | -| <= 5.18.x | :x: | +| Version | Supported | Note | +| ------- | ------------------ | ---- | +| 6.2.x | :white_check_mark: | | +| 6.1.x | :x: | | +| 6.0.x | :x: | | +| 5.19.x | :white_check_mark: | Except for EOL dependencies: Spring and Jetty | +| <= 5.18.x | :x: | | ## Reporting a Vulnerability @@ -33,6 +33,10 @@ Apache ActiveMQ's flexibility and wide ranging set of capabilities and features itself to being exposed to security vulnerabilities, especially ones from third-party projects such as Spring and Jolokia. +Apache ActiveMQ project recommends applying defense-in-depth and security-first to provide layers of security to environments running production workloads. + +Layers of security provide valuable options to prevent attacks, and to provide a buffer for when vulnerabilities at any layer are reported to provide reasonable time to test and apply fixes without impacting business-critical messaging traffic. + Users are advised to secure their environments 1. The web console is not designed to be exposed to the public Internet. @@ -51,11 +55,9 @@ Users are advised to secure their environments 8. Limit inbound and outbound network connectivity to and from an ActiveMQ server. -## Upcoming ActiveMQ Security Improvements +## ActiveMQ Security Improvement Project -Apache ActiveMQ projects recommends applying defense-in-depth and security-first to provide layers of security to environments running production workloads. - -Layers of security provide valuable options to prevent attacks, and to provide a buffer for when vulnerabilities at any layer are reported to provide reasonable time to test and apply fixes without impacting business-critical messaging traffic. +The Apache ActiveMQ team has initiated a security hardening project to move from a default configuration that is geared for developer testing and learning to a secured-by-default stance. 1. Enhancements to the SSL authentication plugin to fix wantAuth mode @@ -70,3 +72,13 @@ Layers of security provide valuable options to prevent attacks, and to provide a 6. Add allow/deny lists to transport connectors to limit IP addresses 7. [Done] VM Transport creation blocks the XBean factory by default + +## Security vs Features + +AI code scanning tools often mistaken designed features as a security issue. + +1. JMS Selectors - An optional query parameter designed to filter messages on a queue or topic that is not security related + +2. ClientId - A non-secret unique identifier used to provide once-and-only-once delivery that are designed to be used between connections and be deleted + +3. BlobMessages - Blob message support is a side-channel for moving large messages with the JMS API by routing the large message through a different endpoint such as http, sftp or scp. Clients using BlobMessages are responsible for validating the authenticity and validity of the uri provided by the broker. ActiveMQ recommends using SSL secured transports, with two-way SSL as the most preferred. From dfd5a1e07190fa7c0a344ab6ab51c46d07a192ef Mon Sep 17 00:00:00 2001 From: "Christopher L. Shannon" Date: Fri, 22 May 2026 07:45:47 -0400 Subject: [PATCH 2/5] Update SECURITY.md --- SECURITY.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 2a93bc5d7f0..d63527e83b3 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -75,7 +75,9 @@ The Apache ActiveMQ team has initiated a security hardening project to move from ## Security vs Features -AI code scanning tools often mistaken designed features as a security issue. +AI code scanning tools often mistaken designed features as a security issue. It is the responsibility of the reporter to review AI output and verify if it's a real issue. There has been a large number of invalid submissions that could be avoided by simply reviewing the JMS spec and the features of the broker itself. + +Some of the most common reported examples: 1. JMS Selectors - An optional query parameter designed to filter messages on a queue or topic that is not security related From 4d71ae2867b961910729b3133edfb917ffa99ffd Mon Sep 17 00:00:00 2001 From: "Christopher L. Shannon" Date: Fri, 22 May 2026 07:46:03 -0400 Subject: [PATCH 3/5] Update SECURITY.md --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index d63527e83b3..04e12d9c737 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -79,7 +79,7 @@ AI code scanning tools often mistaken designed features as a security issue. It Some of the most common reported examples: -1. JMS Selectors - An optional query parameter designed to filter messages on a queue or topic that is not security related +1. JMS Selectors - An optional query parameter designed to filter messages on a queue or topic that is not security related. It is used by clients to consume a subset of messages on the destination instead of all messages. However, if a client is authorized for a destination it is always free to consume all the messages if it chooses so by simply not setting the selector. Therefore any reports showing issues with selectors allowing the consumption of extra messages would be considered a bug and not a security issue as long as it doesn't escape the destination the client is authorized for. 2. ClientId - A non-secret unique identifier used to provide once-and-only-once delivery that are designed to be used between connections and be deleted From 1c33bd76e165fc51373779fdd5799f88b7e58992 Mon Sep 17 00:00:00 2001 From: "Christopher L. Shannon" Date: Fri, 22 May 2026 07:46:19 -0400 Subject: [PATCH 4/5] Update SECURITY.md --- SECURITY.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 04e12d9c737..7547f1db528 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -81,6 +81,8 @@ Some of the most common reported examples: 1. JMS Selectors - An optional query parameter designed to filter messages on a queue or topic that is not security related. It is used by clients to consume a subset of messages on the destination instead of all messages. However, if a client is authorized for a destination it is always free to consume all the messages if it chooses so by simply not setting the selector. Therefore any reports showing issues with selectors allowing the consumption of extra messages would be considered a bug and not a security issue as long as it doesn't escape the destination the client is authorized for. -2. ClientId - A non-secret unique identifier used to provide once-and-only-once delivery that are designed to be used between connections and be deleted +2. ClientId - A non-secret unique identifier used to provide once-and-only-once delivery that are designed to be used between connections and be deleted. The JMS spec specifically allows any authorized connection to use the same clientid as long as it isn't currently in use. Some protocols, such as MQTT, also allow link stealing and taking over if in use. + +3. Durable Subscriptions - The JMS spec allows authorized connections to connect to any existing durable subscription (combination of client id and subscription name) as long as it is offline. Authorized clients are allowed to delete the durable subscriptions as well even if they didn't create it. 3. BlobMessages - Blob message support is a side-channel for moving large messages with the JMS API by routing the large message through a different endpoint such as http, sftp or scp. Clients using BlobMessages are responsible for validating the authenticity and validity of the uri provided by the broker. ActiveMQ recommends using SSL secured transports, with two-way SSL as the most preferred. From 61362f4f7776b91b9f461937f1c9234287717765 Mon Sep 17 00:00:00 2001 From: "Christopher L. Shannon" Date: Fri, 22 May 2026 07:46:28 -0400 Subject: [PATCH 5/5] Update SECURITY.md --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 7547f1db528..7f82baf2787 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -85,4 +85,4 @@ Some of the most common reported examples: 3. Durable Subscriptions - The JMS spec allows authorized connections to connect to any existing durable subscription (combination of client id and subscription name) as long as it is offline. Authorized clients are allowed to delete the durable subscriptions as well even if they didn't create it. -3. BlobMessages - Blob message support is a side-channel for moving large messages with the JMS API by routing the large message through a different endpoint such as http, sftp or scp. Clients using BlobMessages are responsible for validating the authenticity and validity of the uri provided by the broker. ActiveMQ recommends using SSL secured transports, with two-way SSL as the most preferred. +4. BlobMessages - Blob message support is a side-channel for moving large messages with the JMS API by routing the large message through a different endpoint such as http, sftp or scp. Clients using BlobMessages are responsible for validating the authenticity and validity of the uri provided by the received message before taking any action such as downloading or deleting the file. ActiveMQ recommends using SSL secured transports, with two-way SSL as the most preferred.