SB2025033173 - Multiple vulnerabilities in in Apache ActiveMQ Artemis

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-27427)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to application does not properly impose security restrictions. A remote user with "createDurableQueue" or "createNonDurableQueue" permission on an address can augment the routing-type supported by that address even if said user doesn't have the "createAddress" permission for that particular address. When combined with the send permission and automatic queue creation a user could successfully send a message with a routing-type not supported by the address when that message should actually be rejected on the basis that the user doesn't have permission to change the routing-type of the address.

2) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2025-27391)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files when the org.apache.activemq.artemis.core.config.impl.ConfigurationImpl logger has the debug level enabled. A local user can read the log files and gain access to sensitive data.

Remediation

Install update from vendor's website.

References

• https://lists.apache.org/thread/gz5nst3gnhqwjs84vxrcp22t34lx6wkx
• http://www.openwall.com/lists/oss-security/2025/04/09/3
• https://lists.apache.org/thread/25p96cvzl1mkt29lwm2d8knklkoqolps