You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Christopher L. Shannon (JIRA)" <ji...@apache.org> on 2018/07/24 10:35:00 UTC

[jira] [Closed] (AMQ-6989) ActiveMQ 5.15.4 contains scala-library-2.11.0.jar which has one high severity CVE against it.

     [ https://issues.apache.org/jira/browse/AMQ-6989?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Christopher L. Shannon closed AMQ-6989.
---------------------------------------
    Resolution: Won't Fix

Scala is only used for LevelDB and that module has been deprecated and is no longer recommended for use so it won't be getting anymore updates.

> ActiveMQ 5.15.4 contains scala-library-2.11.0.jar which has one high severity CVE against it.
> ---------------------------------------------------------------------------------------------
>
>                 Key: AMQ-6989
>                 URL: https://issues.apache.org/jira/browse/AMQ-6989
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: webconsole
>    Affects Versions: 5.15.4
>         Environment: Environment: Customer environment is a mix of Linux and Windows, Gig-LAN.  Will not accept the risk of having even one high severity CVE in thier environment.
>            Reporter: Albert Baker
>            Priority: Blocker
>
> ActiveMQ 5.15.4 contains scala-library-2.11.0.jar which has one high severity CVE against it.
> Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report.
> CVE-2017-15288    Severity:High  CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
> CWE: CWE-264 Permissions, Privileges, and Access Controls
> The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}
> /scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges.
> CONFIRM - http://scala-lang.org/news/security-update-nov17.html
> CONFIRM - https://github.com/scala/scala/pull/6108
> CONFIRM - https://github.com/scala/scala/pull/6120
> CONFIRM - https://github.com/scala/scala/pull/6128
> Vulnerable Software & Versions: (show all)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)