Qmatic is aware that Apache ActiveMQ is vulnerable to Remote Code Execution, CVE-2023-46604 . We are working to fully assess the impacts across all Qmatic products and services that may be impacted.
We will continually provide information as we investigate and monitor the situation as it evolves. Qmatic is committed to working closely with our clients and partners to determine potential impacts and deliver fixes or workarounds as quickly as possible. The security of our products and clients is our top priority, and we will provide updates as soon as more information becomes available.
UPDATE (2023-11-10):
Qmatic Orchestra, Business Intelligence, and Qmatic Web Booking applications include ActiveMQ libraries. Qmatic Orchestra and Business Intelligence applications use the Artemis version with the OpenWire protocol mentioned in CVE-2023-46604. However, this version doesn't come with Spring, so no known exploits exist. Qmatic will address this issue in future releases.
Qmatic Web Booking doesn't actively use the ActiveMQ libraries and can therefore be removed. Qmatic has released a hotfix for Qmatic Web Booking. To learn more, please contact our support team.