You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Albert Baker (JIRA)" <ji...@apache.org> on 2018/06/15 15:19:00 UTC
[jira] [Created] (AMQ-6996) ActiveMQ 5.15.4 xercesImpl-2.11.0.jar
which has one high severity CVE against it.
Albert Baker created AMQ-6996:
---------------------------------
Summary: ActiveMQ 5.15.4 xercesImpl-2.11.0.jar which has one high severity CVE against it.
Key: AMQ-6996
URL: https://issues.apache.org/jira/browse/AMQ-6996
Project: ActiveMQ
Issue Type: Bug
Components: Broker, webconsole
Affects Versions: 5.15.4
Environment: Environment: Customer environment is a mix of Linux and Windows, Gig-LAN (Medical & Finacial services). Will not accept the risk of having even one high severity CVE in thier environment. The cost of (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed systems.
Reporter: Albert Baker
ActiveMQ 5.15.4 xercesImpl-2.11.0.jar which has one high severity CVE against it.
Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report.
CVE-2012-0881 Severity:High CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
Apache Xerces2 Java allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=787104
MLIST - [oss-security] 20140708 Summer bug cleaning - some Hash DoS stuff
Vulnerable Software & Versions:
cpe:/a:apache:xerces2_java:2.11.0 and all previous versions
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)