Problem:
Qualys detected a vulnerability in Apache Artemis which is linked to Candlepin but only on 2 out of 5 of our servers
/var/lib/tomcat/webapps/candlepin/WEB-INF/lib/artemis-server-2.42.0.jar!META-INF/maven/org.apache.activemq/artemis-server/pom.properties
All 5 servers (4 proxies, 1 main) have the same 2.42 version of this jar file but Qualys has only triggered 2 of them
CVE-2026-27446
Any ideas? False positive?
Running version 3.17
Update - we also found that Candlepin rpm is missing on 2 of the 5 servers as well. So we have it running on 3 (but only got flagged for this CVE)
Anyone have an idea on this? I don’t see any candlepin or katello release notes covering this CVE fix
Looks like upstream Candlepin has updated their artemis to a not-affected version 2 weeks ago: Bump artemis from 2.51.0 to 2.52.0 by dependabot[bot] · Pull Request #5402 · candlepin/candlepin · GitHub
From what I can see, this has been released in upstream release 4.7.5-1, but I cannot speak for when Katello will ship that version.
So checking at red hat for this cve ( cve-details ) it tells that satellite is not affected as “inline mitigations already exist”. I would guess that this also applies to foreman if they did not change that just for satellite somehow.
Yes, the same applies to the Candlepin in supported Foreman versions.