Good morning,
For anyone who was not aware, Apache has released a security advisory relating to ActiveMQ versions prior to 6.3.2, which are included in assyst as the assyst External Messaging System.
https://www.cyber.gc.ca/en/alerts-advisories/apache-activemq-security-advisory-av26-330
When we contacted IFS about this yesterday, we received the following reply:
With regards to incident 507287, this is the issue is Vulnerability CVE-2026-34197
After investigation, the IFS assyst Service Desk have confirmed that your incident has highlighted a new defect and as a result we will log a new problem record.
The following workarounds have been identified that may help mitigate the impact of this defect:
(1) - Ensure that "Enable Web admin console" is disabled in the installer page for the external messaging system. This will prevent the endpoint from being accessible.
OR
(2) If the you need the Web admin console to be enabled, then you can manually change the credentials for the Jolokia endpoint by editing the file conf/users.properties and changing the password for the admin user. Note that with this approach the vulnerability is still present, however it can only be accessed by the user with the correct credential. Bear in mind a re-install of the messaging system will overwrite the changes - so they would need to be re-applied after each installation.
Hopefully IFS can release an update for the installer which includes the newest version of ActiveMQ since the most recent assyst release (25R2SU2) still uses an old affected version.
Regards,
Duncan