You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Albert Baker (JIRA)" <ji...@apache.org> on 2018/06/15 14:52:00 UTC
[jira] [Created] (AMQ-6990) ActiveMQ 5.15.4
commons-beanutils-core-1.8.0.jar which has one high severity CVE against
it.
Albert Baker created AMQ-6990:
---------------------------------
Summary: ActiveMQ 5.15.4 commons-beanutils-core-1.8.0.jar which has one high severity CVE against it.
Key: AMQ-6990
URL: https://issues.apache.org/jira/browse/AMQ-6990
Project: ActiveMQ
Issue Type: Bug
Components: webconsole
Affects Versions: 5.15.4
Environment: Environment: Customer environment is a mix of Linux and Windows, Gig-LAN (Medical & Finacial services). Will not accept the risk of having even one high severity CVE in thier environment. The cost of (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed systems.
Reporter: Albert Baker
ActiveMQ 5.15.4 commons-beanutils-core-1.8.0.jar which has one high severity CVE against it.
Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report.
CVE-2014-0114 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils
through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as
demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
BID - 67121
BUGTRAQ - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
CONFIRM - http://advisories.mageia.org/MGASA-2014-0219.html
CONFIRM - http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21674128
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21674812
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675266
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675387
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675689
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675898
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675972
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676091
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676110
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676303
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676375
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676931
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677110
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg27042296
CONFIRM - http://www.ibm.com/support/docview.wss?uid=swg21675496
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0008.html
CONFIRM - http://www.vmware.com/security/advisories/VMSA-2
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)