Digital

Blog

European Commission Digital

Addressing the ActiveMQ vulnerability in eDelivery sample software

Update 21 December 2023

Domibus 5.1.2 patching the vulnerability was released.

Update 21 November 2023

Domibus 5.0.7 patching the vulnerability was released.

Update 17 November 2023

Domibus 5.1.2 patching the vulnerability will be released on 21 December 2023.

Update 16 November 2023

Domibus 5.0.7 patching the vulnerability will be released on 21 November 2023.

Original announcement

We are aware of the recent vulnerability reported in ActiveMQ, which is used by Domibus as a message broker. This vulnerability, identified as CVE-2023-46604, may allow a remote attacker with network access to the ActiveMQ broker to run arbitrary shell commands. We understand the concerns this may raise and we want to assure you that we are taking this matter very seriously.

Impact

All Domibus versions are affected by this vulnerability when configured to use ActiveMQ (embedded or standalone). However, it’s important to note that if your ActiveMQ ports are not exposed on the internet, you are not under threat. The risk only exists if an attacker has access to the ports. Therefore, we strongly advise not to expose any ActiveMQ ports on the internet to avoid being subject to this vulnerability.

DomiSMP and DomiSML do not use ActiveMQ, therefore they are unaffected.

Recommendations

While we are working on Domibus patch versions which will upgrade to an ActiveMQ version that does not have the vulnerability, we want to provide immediate steps you can take to secure your systems:

1. Users of an ActiveMQ version embedded in Domibus:

  • Close your ports: If you haven’t exposed your ports, you are secure. If you have, we strongly recommend closing them. This is an immediate and effective action you can take to protect your system.
  • Upgrade to Domibus 5.0.6 or 5.1 We will not be releasing a patch for Domibus 4.2 as it is out of support. We strongly encourage you, if you haven’t done so already, to plan your upgrade to either Domibus 5.0.x or Domibus 5.1.x.
  • Apply our upcoming patch: If closing the ports is impossible for any reason, we are working on a patch that you can apply to secure your system. We will provide detailed instructions on how to apply this patch once it’s ready.

2. Users of a standalone ActiveMQ version:

  • Upgrade ActiveMQ: Please upgrade your ActiveMQ installation to a patched version. Please check this page for details.

Looking forward

We understand that this situation may cause some concern, but we want to assure you that the security of your systems and the integrity of Domibus are our top priorities. We are committed to addressing this issue promptly and thoroughly. We appreciate your patience and understanding as we work to resolve this matter.

Stay tuned for the latest updates on eDelivery services by checking the Building Block's X and web page. For more information, do not hesitate to register for personalised news or contact us via our portal or by e-mail: EC-EDELIVERY-SUPPORT@ec.europa.eu.

The eDelivery Building Block

eDelivery is a building block that provides technical specifications and standards, installable software and ancillary services to allow projects to create a network of nodes for secure digital data exchange.

Domibus is the sample software provided by the European Commission to implement an eDelivery AS4 Access Point for the interoperable, secure and reliable data exchange. It is based on the eDelivery AS4 profile, an open technical specification for the secure, web-based, payload-agnostic exchange of data or documents.

DomiSMP is the sample software provided by the European Commission to implement an eDelivery Service Metadata Publisher for publishing and retrieving data necessary for an eDelivery party to dynamically configure its system for message exchange with counterparties using eDelivery. It is based on the  eDelivery SMP profile, an open technical specification for publishing service metadata within a 4-corner network.

DomiSMLis the sample software provided by the European Commission to implement an eDelivery Service Metadata Locator for an eDelivery party to discover the URLs of other counterparties using eDelivery Access Points and their corresponding metadata. It is based on the eDelivery BDXL profile, an open technical specification for locating Access Points within a network, and on the PEPPOL SML Specification, a technical specification defining a BDXL administration API.