You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by venu madhav <ve...@gmail.com> on 2019/07/03 05:59:59 UTC
ActiveMQ cve vulnerabilities seen in latest version
Hi Team,
We are using OWASP Dependency-Check to scan for vulnerabilities in our
project.
Even when we use the latest version of activemq-kahadb-store jar (5.15.9
version) we see some vulnerabilities such as *CVE-2018-11775
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11775>* ,
*CVE-2016-3088
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3088> *which
ideally should be fixed in the latest release as per mentioned in the link:
https://activemq.apache.org/components/classic/security
Can you please check and tell if the issue is not fixed or NVD database is
still showing the vulnerability even if the issue is fixed.
Attached the dependency check report when executed by adding the following
dependencies in pom.xml :
<dependency>
<groupId>org.apache.activemq</groupId>
<version>5.15.9</version>
<artifactId>activemq-kahadb-store</artifactId>
</dependency>
<dependency>
<groupId>org.apache.activemq</groupId>
<version>5.15.9</version>
<artifactId>activemq-broker</artifactId>
</dependency>
<dependency>
<groupId>org.apache.activemq</groupId>
<version>5.15.9</version>
<artifactId>activemq-client</artifactId>
</dependency>
Thanks and Regards,
Venu B
Re: ActiveMQ cve vulnerabilities seen in latest version
Posted by Tim Bain <tb...@alumni.duke.edu>.
It certainly sounds like OWASP Dependency-Check didn't mark the 2018 CVE as
resolved, which implies that there's a good chance that the same is true
for the 2016 CVE.
For you to be sure of that, I think you'd need to find the JIRA issues
under which we resolved each CVE, look at the code changes that were made,
and then confirm that the 5.15.9 branch in Git has not lost the changes.
Tim
On Wed, Jul 3, 2019, 3:09 AM venu madhav <ve...@gmail.com> wrote:
> Hi Tim,
>
> Thankyou for your reply. So my question here is that will the
> vulnerability be shown always in the latest version as well unless we
> change the configuration in activemq.xml as you mentioned ?
> Also, I am just running a dummy project to scan the vulnerabilities using
> owasp dependency-check. The project doesnt contain anything except for the
> activemq jars added as dependencies in the pom.xml.
> I have attached the complete pom.xml for your reference.
>
> Thanks and regards,
> Venu B
>
>
>
> On Wed, Jul 3, 2019 at 12:22 PM Tim Bain <tb...@alumni.duke.edu> wrote:
>
>> The CVE from 2016 provides a link (
>>
>> http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
>> )
>> with instructions on how to disable the offending context path in the
>> broker's config file. Is that configuration present in your activemq.xml?
>> If so, did you copy/retain your config file when upgrading from a version
>> prior to 5.14.0?
>>
>> I don't have any insight into the one from 2018 and why it might be
>> showing
>> as unmitigated.
>>
>> Tim
>>
>
Re: ActiveMQ cve vulnerabilities seen in latest version
Posted by venu madhav <ve...@gmail.com>.
Hi Tim,
Thankyou for your reply. So my question here is that will the vulnerability
be shown always in the latest version as well unless we change the
configuration in activemq.xml as you mentioned ?
Also, I am just running a dummy project to scan the vulnerabilities using
owasp dependency-check. The project doesnt contain anything except for the
activemq jars added as dependencies in the pom.xml.
I have attached the complete pom.xml for your reference.
Thanks and regards,
Venu B
On Wed, Jul 3, 2019 at 12:22 PM Tim Bain <tb...@alumni.duke.edu> wrote:
> The CVE from 2016 provides a link (
>
> http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
> )
> with instructions on how to disable the offending context path in the
> broker's config file. Is that configuration present in your activemq.xml?
> If so, did you copy/retain your config file when upgrading from a version
> prior to 5.14.0?
>
> I don't have any insight into the one from 2018 and why it might be showing
> as unmitigated.
>
> Tim
>
Re: ActiveMQ cve vulnerabilities seen in latest version
Posted by Tim Bain <tb...@alumni.duke.edu>.
The CVE from 2016 provides a link (
http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt)
with instructions on how to disable the offending context path in the
broker's config file. Is that configuration present in your activemq.xml?
If so, did you copy/retain your config file when upgrading from a version
prior to 5.14.0?
I don't have any insight into the one from 2018 and why it might be showing
as unmitigated.
Tim