(artemis-website) branch main updated: update mitigation strat for CVE-2026-27446

Tue, 17 Mar 2026 08:03:15 -0700 

This is an automated email from the ASF dual-hosted git repository.

jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/artemis-website.git


The following commit(s) were added to refs/heads/main by this push:
     new 105d3f7e update mitigation strat for CVE-2026-27446
105d3f7e is described below

commit 105d3f7ead1c2da670b8b3f88ae94a00df5fe79a
Author: Justin Bertram <[email protected]>
AuthorDate: Tue Mar 17 10:02:32 2026 -0500

    update mitigation strat for CVE-2026-27446
---
 src/security-advisories.data/CVE-2026-27446-announcement.txt | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/security-advisories.data/CVE-2026-27446-announcement.txt 
b/src/security-advisories.data/CVE-2026-27446-announcement.txt
index 6cf4cfc9..cde10507 100644
--- a/src/security-advisories.data/CVE-2026-27446-announcement.txt
+++ b/src/security-advisories.data/CVE-2026-27446-announcement.txt
@@ -21,12 +21,14 @@ This issue affects:
 
 Users are recommended to upgrade to Apache Artemis version 2.52.0, which fixes 
the issue.
 
-The issue can be mitigated by either of the following:
+The issue can be mitigated by one of the following:
 
 - Remove Core protocol support from any acceptor receiving connections from 
untrusted sources. Incoming Core protocol connections are supported by default 
via the "artemis" acceptor listening on port 61616. See the "protocols" URL 
parameter configured for the acceptor. An acceptor URL without this parameter 
supports all protocols by default, including Core.
 
 - Use two-way SSL (i.e. certificate-based authentication) in order to force 
every client to present the proper SSL certificate when establishing a 
connection before any message protocol handshake is attempted. This will 
prevent unauthenticated exploitation of this vulnerability.
 
+- Implement and deploy a Core interceptor to deny all Core downstream 
federation connect packets. Such packets have a type of (int) -16 or (byte) 
0xfffffff0. Documentation for interceptors is available at 
https://artemis.apache.org/components/artemis/documentation/latest/intercepting-operations.html.
+
 Credit:
 
 Hardik Mehta <[email protected]> (finder)


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to