You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@activemq.apache.org by "Jackson, Douglas" <do...@siemens.com> on 2021/08/30 20:36:05 UTC

Security issues

Hi!
I am using activemq 5.16.3 and camel 2.25.4. There appears to be some security issues with them based on a tool called Dependency-check.
It also flags a security issue with the velocity engine 2.0 (which camel-velocity 2.25.4 lists as a dependency).
Are these valid?
Is it possible to use a more recent version of the velocity-engine with the camel-velocity 2.5.4?
Are there any plans to address these in the 5.15.x and 2.25.x releases?

CVE-2019-17571<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571>
CVE-2020-11971<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11971>
CVE-2020-13936<https://nvd.nist.gov/vuln/detail/CVE-2020-13936>

Thanks in advance for any guidance,

-Doug

Re: Security issues

Posted by Jean-Baptiste Onofre <jb...@nanthrax.net>.

Hi Doug,

You can update Camel dependencies independently from ActiveMQ.

Further more, ActiveMQ 5.16.3 already supports Camel 3.x (including activemq-camel).
However, I still recommend to use the camel-jms component (maintained at Camel).

Regards
JB

> Le 30 août 2021 à 22:36, Jackson, Douglas <do...@siemens.com> a écrit :
> 
> Hi!
> I am using activemq 5.16.3 and camel 2.25.4. There appears to be some security issues with them based on a tool called Dependency-check.
> It also flags a security issue with the velocity engine 2.0 (which camel-velocity 2.25.4 lists as a dependency).
> Are these valid?
> Is it possible to use a more recent version of the velocity-engine with the camel-velocity 2.5.4?
> Are there any plans to address these in the 5.15.x and 2.25.x releases?
> 
> CVE-2019-17571<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571>
> CVE-2020-11971<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11971>
> CVE-2020-13936<https://nvd.nist.gov/vuln/detail/CVE-2020-13936>
> 
> Thanks in advance for any guidance,
> 
> -Doug
>

Re: Security issues

Posted by Matt Pavlovich <ma...@gmail.com>.

IIANAL: Both of those look specific to how the library is used, and mere presence does not mean the flaw can be exploited. 

1. Upgrading log4j on your own should not be a problem— doubtful the SocketServer class being used by log4j in most ActiveMQ deployments.

2. With Camel, I wonder if disabling JMX would mitigate the issue— best to ping the users email list over at Camel to be sure.

Camel 3.x support is being targeted for ActiveMQ 5.17.x.

Thanks,
Matt Pavlovich

> On Aug 31, 2021, at 8:55 AM, Jackson, Douglas <do...@siemens.com> wrote:
> 
> Hi!
> Thanks for the info on the velocity stuff.
> 
> What about security vulnerability caused by the use of Log4j 1.2.17 by ActiveMQ (CVE-2019-17571)?
> 
> Or the Camel JMS 2.25.4 security vulnerability (CVE-2020-11971)?
> Thanks,
> -Doug
> 
> 
> -----Original Message-----
> From: Matt Pavlovich <ma...@gmail.com> 
> Sent: Monday, August 30, 2021 3:55 PM
> To: users@activemq.apache.org
> Subject: Re: Security issues
> 
> Hello Doug-
> 
> Yes. You should be able to update the Velocity dependency to Velocity 2.3 without any problems. 
> 
> Ref: http://velocity.apache.org/engine/2.3/upgrading.html#upgrading-from-velocity-22-to-velocity-23 <http://velocity.apache.org/engine/2.3/upgrading.html#upgrading-from-velocity-22-to-velocity-23>
> Ref: https://velocity.apache.org/engine/2.3/changes.html <https://velocity.apache.org/engine/2.3/changes.html>
> 
> ActiveMQ 5.15.x release stream is closed, efforts are now on 5.16.x and the 5.17.x WIP streams. However, swapping out the velocity jar on your own shouldn’t have any impacts.
> 
> You’ll have to ping the Camel users mailing list to ask about a 2.25.x updated release. Again, I suspect just updating the jar on your own should work fine.
> 
> NOTE: To other readers— this is not a new ActiveMQ security issue, since ActiveMQ has upgraded Velocity to 2.3 in 5.16.x
> 
> Thanks,
> Matt Pavlovich
> 
>> On Aug 30, 2021, at 3:36 PM, Jackson, Douglas <do...@siemens.com> wrote:
>> 
>> Hi!
>> I am using activemq 5.16.3 and camel 2.25.4. There appears to be some security issues with them based on a tool called Dependency-check.
>> It also flags a security issue with the velocity engine 2.0 (which camel-velocity 2.25.4 lists as a dependency).
>> Are these valid?
>> Is it possible to use a more recent version of the velocity-engine with the camel-velocity 2.5.4?
>> Are there any plans to address these in the 5.15.x and 2.25.x releases?
>> 
>> CVE-2019-17571<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-201
>> 9-17571> 
>> CVE-2020-11971<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-202
>> 0-11971> 
>> CVE-2020-13936<https://nvd.nist.gov/vuln/detail/CVE-2020-13936>
>> 
>> Thanks in advance for any guidance,
>> 
>> -Doug
>> 
>

RE: Security issues

Posted by "Jackson, Douglas" <do...@siemens.com>.

Hi!
Thanks for the info on the velocity stuff.

What about security vulnerability caused by the use of Log4j 1.2.17 by ActiveMQ (CVE-2019-17571)?

Or the Camel JMS 2.25.4 security vulnerability (CVE-2020-11971)?
Thanks,
-Doug


-----Original Message-----
From: Matt Pavlovich <ma...@gmail.com> 
Sent: Monday, August 30, 2021 3:55 PM
To: users@activemq.apache.org
Subject: Re: Security issues

Hello Doug-

Yes. You should be able to update the Velocity dependency to Velocity 2.3 without any problems. 

Ref: http://velocity.apache.org/engine/2.3/upgrading.html#upgrading-from-velocity-22-to-velocity-23 <http://velocity.apache.org/engine/2.3/upgrading.html#upgrading-from-velocity-22-to-velocity-23>
Ref: https://velocity.apache.org/engine/2.3/changes.html <https://velocity.apache.org/engine/2.3/changes.html>

ActiveMQ 5.15.x release stream is closed, efforts are now on 5.16.x and the 5.17.x WIP streams. However, swapping out the velocity jar on your own shouldn’t have any impacts.

You’ll have to ping the Camel users mailing list to ask about a 2.25.x updated release. Again, I suspect just updating the jar on your own should work fine.

NOTE: To other readers— this is not a new ActiveMQ security issue, since ActiveMQ has upgraded Velocity to 2.3 in 5.16.x

Thanks,
Matt Pavlovich

> On Aug 30, 2021, at 3:36 PM, Jackson, Douglas <do...@siemens.com> wrote:
> 
> Hi!
> I am using activemq 5.16.3 and camel 2.25.4. There appears to be some security issues with them based on a tool called Dependency-check.
> It also flags a security issue with the velocity engine 2.0 (which camel-velocity 2.25.4 lists as a dependency).
> Are these valid?
> Is it possible to use a more recent version of the velocity-engine with the camel-velocity 2.5.4?
> Are there any plans to address these in the 5.15.x and 2.25.x releases?
> 
> CVE-2019-17571<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-201
> 9-17571> 
> CVE-2020-11971<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-202
> 0-11971> 
> CVE-2020-13936<https://nvd.nist.gov/vuln/detail/CVE-2020-13936>
> 
> Thanks in advance for any guidance,
> 
> -Doug
>

Re: Security issues

Posted by Matt Pavlovich <ma...@gmail.com>.

Hello Doug-

Yes. You should be able to update the Velocity dependency to Velocity 2.3 without any problems. 

Ref: http://velocity.apache.org/engine/2.3/upgrading.html#upgrading-from-velocity-22-to-velocity-23 <http://velocity.apache.org/engine/2.3/upgrading.html#upgrading-from-velocity-22-to-velocity-23>
Ref: https://velocity.apache.org/engine/2.3/changes.html <https://velocity.apache.org/engine/2.3/changes.html>

ActiveMQ 5.15.x release stream is closed, efforts are now on 5.16.x and the 5.17.x WIP streams. However, swapping out the velocity jar on your own shouldn’t have any impacts.

You’ll have to ping the Camel users mailing list to ask about a 2.25.x updated release. Again, I suspect just updating the jar on your own should work fine.

NOTE: To other readers— this is not a new ActiveMQ security issue, since ActiveMQ has upgraded Velocity to 2.3 in 5.16.x

Thanks,
Matt Pavlovich

> On Aug 30, 2021, at 3:36 PM, Jackson, Douglas <do...@siemens.com> wrote:
> 
> Hi!
> I am using activemq 5.16.3 and camel 2.25.4. There appears to be some security issues with them based on a tool called Dependency-check.
> It also flags a security issue with the velocity engine 2.0 (which camel-velocity 2.25.4 lists as a dependency).
> Are these valid?
> Is it possible to use a more recent version of the velocity-engine with the camel-velocity 2.5.4?
> Are there any plans to address these in the 5.15.x and 2.25.x releases?
> 
> CVE-2019-17571<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571>
> CVE-2020-11971<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11971>
> CVE-2020-13936<https://nvd.nist.gov/vuln/detail/CVE-2020-13936>
> 
> Thanks in advance for any guidance,
> 
> -Doug
>