You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2021/01/05 08:27:39 UTC

Re: CVE-2015-5183

Hi all,

An update on this long-running task. RedHat have updated the descriptions
for the following two CVEs to make it clearer that they affect RedHat AMQ
and not Apache, and then NIST changed the CPE scores to remove Apache
ActiveMQ:

https://nvd.nist.gov/vuln/detail/CVE-2015-5183
https://nvd.nist.gov/vuln/detail/CVE-2015-5184

So for these two CVEs, vulnerability scanners are no longer flagging Apache
ActiveMQ as vulnerable. The remaining task is

https://nvd.nist.gov/vuln/detail/CVE-2015-5182

I am waiting on clarification from RedHat here, as the upstream bug is
marked as "WONTFIX".

Colm.

On Wed, Feb 26, 2020 at 1:15 PM Mark J Cox <mj...@apache.org> wrote:

> Yes, they can update the master CVE (Mitre) description which appears
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5183 which NVD are
> downstream from.
>
> Mark
>
> On Wed, Feb 26, 2020 at 1:12 PM Colm O hEigeartaigh <co...@apache.org>
> wrote:
>
> > Hi Mark,
> >
> > OK I will do thanks. Just for clarity, when you say they can update the
> > entry without Mitre - are you referring to the description
> > https://nvd.nist.gov/vuln/detail/CVE-2015-5183 or just in
> > https://bugzilla.redhat.com/show_bug.cgi?id=1249182 ?
> >
> > Colm.
> >
> > On Wed, Feb 26, 2020 at 12:54 PM Mark J Cox <mj...@apache.org> wrote:
> >
> >> Hi Colm; as the assigning CNA was Red Hat I'd suggest reaching out to
> >> them via secalert@redhat.com and ask them to update the entry (they
> have
> >> the ability to do this themselves and very quickly and easily without
> >> having to involve Mitre at all).  Once that is done which should take
> only
> >> a day or two you can ask NIST to update the CPE list based on that
> change.
> >>
> >> Cheers, Mark
> >>
> >> On Tue, Feb 25, 2020 at 2:40 PM Colm O hEigeartaigh <
> coheigea@apache.org>
> >> wrote:
> >>
> >>> Hi all,
> >>>
> >>> A few months ago I raised the issue of a number of CVEs reported
> against
> >>> AMQ which have no "fix for" version. I have some time again to look
> into
> >>> this, and so I'd like to take them one by one.
> >>>
> >>> https://nvd.nist.gov/vuln/detail/CVE-2015-5183
> >>>
> >>> "The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes
> >>> on cookies."
> >>>
> >>> The original JIRA (https://bugzilla.redhat.com/show_bug.cgi?id=1249182
> )
> >>> refers to the Hawt IO Console, and not anything in ActiveMQ. Although
> note
> >>> that we didn't set HTTPOnly for the AMQ Web Console until the 5.15.11
> >>> release (https://issues.apache.org/jira/browse/AMQ-7322).
> >>>
> >>> As this CVE does not concern ActiveMQ at all, I would like to mail NIST
> >>> and request that they change the CPE score to stop referencing
> ActiveMQ,
> >>> and also update the description not to refer to ActiveMQ.
> >>>
> >>> It would be great if someone from the PMC could give me a +1 to this
> >>> plan, and I will be able to link to this thread when contacting NIST.
> >>>
> >>> Colm.
> >>>
> >>
>