[Security] Default user password in Container for ActiveMQ
ViliusS opened this issue · 0 comments
Category:
Container images
Type:
- Bug
- Feature Request
- Process
Default ActiveMQ installation is vulnerable to this issue https://issues.apache.org/jira/browse/AMQ-5388
Since GCP Container image modify a password only for admin account but not for user account and the image easily allows external access configured, the vulnerability is even more serious. Most DevOps guys are not aware that this user exist!
This also propagates to ActiveMQ Kubernetes App built on top of this image.
I have prepared an upstream patch but GCP image still needs to change the default password or, even better, disable user account by default with the possibility to enable it with regenerated password.
When the upstream patch is merged both Container Image and Kubernetes App for ActiveMQ needs to be updated.