You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Franck Valentin (Jira)" <ji...@apache.org> on 2021/09/22 13:12:00 UTC

[jira] [Commented] (ARTEMIS-2413) Upgrade JGroups

    [ https://issues.apache.org/jira/browse/ARTEMIS-2413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17418585#comment-17418585 ] 

Franck Valentin commented on ARTEMIS-2413:
------------------------------------------

Hi [~jbertram],

would you confirm also that [CVE-2016-2141|https://nvd.nist.gov/vuln/detail/CVE-2016-2141] is not applicable here?

> Upgrade JGroups
> ---------------
>
>                 Key: ARTEMIS-2413
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-2413
>             Project: ActiveMQ Artemis
>          Issue Type: Task
>    Affects Versions: 2.6.4
>            Reporter: Endre Jeges
>            Priority: Major
>
> I have noticed with the OWASP dependency-check plugin (org.owasp:dependency-check-maven:5.0.0) that the currently used org.jgroups:jgroups:3.6.13.Final has a [CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle')|https://ossindex.sonatype.org/vuln/7c83fdab-9665-4e79-bc81-cc67fbb96417] vulnerability. The problem has not been reported in the NVD database, therefore there is no CVE record.
> The vulnerability has been [addressed|https://github.com/belaban/JGroups/pull/348] in version org.jgroups:jgroups:4.0.2.Final (at the moment the latest version is org.jgroups:jgroups:4.1.1.Final).
> The org.jgroups:jgroups dependency would require an upgrade to resolve the vulnerability.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)