CVE-2018-7489 does this apply for ActiveMQ as library is packaged along with ActiveMQ

[mlanilk <ml...@gmail.com>]

ActiveMQ 5.15.3 packages the Jackson-databind library 2.6.7. The
Jackson-databind library is vulnerable for CVE-2018-7489. Want to know if
this vulnerability applies for ActiveMQ 5.15.3 as it uses the library. If
yes, will there be an update to the ActiveMQ Library. 



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html

Re: CVE-2018-7489 does this apply for ActiveMQ as library is packaged along with ActiveMQ

[Tim Bain <tb...@alumni.duke.edu>]

I can't comment on any plans for addressing the CVE itself within ActiveMQ,
but the CVE appears to apply only when the c3p0 database connection pooling
library is in use in the same JVM as the ActiveMQ code. ActiveMQ doesn't
ship with c3p0, so if I've understood this correctly, you're only at risk
if you've put ActiveMQ and c3p0 on the same JVM yourself, not just if
you've installed ActiveMQ out of the box and are using it in isolation. So
anyone not using c3p0 should be unaffected, and anyone who is could
consider switching to a different database connection pooling library
(HikariCP gets lots of good press for being blazing-fast, though I haven't
personally used it) as a mitigation strategy. Also,
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
contains more information about Jackson gadget attacks in general and how
you can mitigate them, from one of the maintainers of jackson-databind.

Tim

On Fri, Mar 30, 2018 at 2:58 AM, mlanilk <ml...@gmail.com> wrote:

> ActiveMQ 5.15.3 packages the Jackson-databind library 2.6.7. The
> Jackson-databind library is vulnerable for CVE-2018-7489. Want to know if
> this vulnerability applies for ActiveMQ 5.15.3 as it uses the library. If
> yes, will there be an update to the ActiveMQ Library.
>
>
>
> --
> Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-
> f2341805.html
>