You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by "matteo.piemonti" <ma...@accenture.com> on 2019/03/11 14:42:49 UTC
CVE-2016-1000031 vulnerability on commons-fileupload
Hi, we have an Apache ActiveMQ 5.11.0 installation and our security team
notified us the vulnerability CVE-2016-1000031 on library
commons-fileupload-1.3.1.jar, present into webapps/hawtio/WEB-INF/lib.
How can we mitigate it?
Is it possible to take library commons-fileupload-1.3.3.jar and replace the
old file? Is it compatible with activeMQ?
Thank you
Matteo
--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Re: CVE-2016-1000031 vulnerability on commons-fileupload
Posted by Tim Bain <tb...@alumni.duke.edu>.
There were a few versions of ActiveMQ 5.x that packaged HawtIO with the
broker, but within a few versions it was removed and users would have to
add it manually. From memory, I think it was present in 5.9 and 5.10 and
removed thereafter.
Justin's response matches up with my belief that 5.11.1 was a version that
didn't have HawtIO bundled, so it would have been installed manually by
someone on your project (or someone upgraded in place from a version that
did have it bundled and didn't clear out the things that were no longer
present, which is the same thing). In any case, Justin's recommendation to
work with the HawtIO community about this potential vulnerability in their
software is the way to go.
Tim
On Mon, Mar 11, 2019, 1:44 PM Justin Bertram <jb...@apache.org> wrote:
> Taking a look at the download for ActiveMQ 5.11 [1] I don't even see a
> directory named webapps/hawtio.
>
> Also, the information on the CVE [2] states:
>
> Per Apache: "Having reviewed your report we have concluded that it does
> not represent a valid vulnerability in Apache Commons File Upload. If an
> application deserializes data from an untrusted source without filtering
> and/or validation that is an application vulnerability not a vulnerability
> in the library a potential attacker might leverage."
>
> Therefore, you probably want to follow-up with the Hawtio community on
> whether or not this could be exploited in their web app and/or if version
> 1.3.3 of that jar could be used to mitigate the risk.
>
>
> Justin
>
> [1]
>
> http://archive.apache.org/dist/activemq/5.11.0/apache-activemq-5.11.0-bin.zip
> [2] https://nvd.nist.gov/vuln/detail/CVE-2016-1000031
>
> On Mon, Mar 11, 2019 at 11:10 AM matteo.piemonti <
> matteo.piemonti@accenture.com> wrote:
>
> > Hi, we have an Apache ActiveMQ 5.11.0 installation and our security team
> > notified us the vulnerability CVE-2016-1000031 on library
> > commons-fileupload-1.3.1.jar, present into webapps/hawtio/WEB-INF/lib.
> > How can we mitigate it?
> > Is it possible to take library commons-fileupload-1.3.3.jar and replace
> the
> > old file? Is it compatible with activeMQ?
> >
> > Thank you
> > Matteo
> >
> >
> >
> > --
> > Sent from:
> > http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
> >
>
Re: CVE-2016-1000031 vulnerability on commons-fileupload
Posted by Justin Bertram <jb...@apache.org>.
Taking a look at the download for ActiveMQ 5.11 [1] I don't even see a
directory named webapps/hawtio.
Also, the information on the CVE [2] states:
Per Apache: "Having reviewed your report we have concluded that it does
not represent a valid vulnerability in Apache Commons File Upload. If an
application deserializes data from an untrusted source without filtering
and/or validation that is an application vulnerability not a vulnerability
in the library a potential attacker might leverage."
Therefore, you probably want to follow-up with the Hawtio community on
whether or not this could be exploited in their web app and/or if version
1.3.3 of that jar could be used to mitigate the risk.
Justin
[1]
http://archive.apache.org/dist/activemq/5.11.0/apache-activemq-5.11.0-bin.zip
[2] https://nvd.nist.gov/vuln/detail/CVE-2016-1000031
On Mon, Mar 11, 2019 at 11:10 AM matteo.piemonti <
matteo.piemonti@accenture.com> wrote:
> Hi, we have an Apache ActiveMQ 5.11.0 installation and our security team
> notified us the vulnerability CVE-2016-1000031 on library
> commons-fileupload-1.3.1.jar, present into webapps/hawtio/WEB-INF/lib.
> How can we mitigate it?
> Is it possible to take library commons-fileupload-1.3.3.jar and replace the
> old file? Is it compatible with activeMQ?
>
> Thank you
> Matteo
>
>
>
> --
> Sent from:
> http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
>