Apache Artemis and Apache ActiveMQ Artemis OpenWire Protocol Incorrect Authorization Vulnerability

A vulnerability allowing incorrect authorization has been identified in Apache Artemis and Apache ActiveMQ Artemis. This issue arises when an application using the OpenWire protocol tries to create a non-durable JMS topic subscription on a non-existent address. The vulnerability occurs with an authenticated user who has the 'createDurableQueue' permission but lacks the 'createAddress' permission, and when address auto-creation is disabled. In such cases, a temporary address is erroneously created, whereas the subscription creation should fail due to lack of authorization to create the address. The temporary address is removed when the OpenWire connection is closed.

Impact

Exploitation of this vulnerability leads to unauthorized creation of temporary addresses, which could be misused before being removed when the OpenWire connection is closed.

Remediation

Users are advised to upgrade to Apache Artemis version 2.53.0 or Apache ActiveMQ Artemis version 2.45.0 or later, both of which address this vulnerability.