[jira] [Updated] (AMQ-6990) ActiveMQ 5.15.4 commons-beanutils-core-1.8.0.jar which has one high severity CVE against it.

["Jamie goodyear (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/AMQ-6990?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jamie goodyear updated AMQ-6990:
--------------------------------
    Attachment: AMQ-6990-AMQ-5.15.x.patch

> ActiveMQ 5.15.4 commons-beanutils-core-1.8.0.jar which has one high severity CVE against it.
> --------------------------------------------------------------------------------------------
>
>                 Key: AMQ-6990
>                 URL: https://issues.apache.org/jira/browse/AMQ-6990
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: webconsole
>    Affects Versions: 5.15.4
>         Environment: Environment: Customer environment is a mix of Linux and Windows, Gig-LAN (Medical & Finacial services).  Will not accept the risk of having even one high severity CVE in thier environment. The cost of (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed systems.
>            Reporter: Albert Baker
>            Priority: Blocker
>         Attachments: AMQ-6990-AMQ-5.15.x.patch
>
>
> ActiveMQ 5.15.4 commons-beanutils-core-1.8.0.jar which has one high severity CVE against it.
> Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report.
> CVE-2014-0114 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-20 Improper Input Validation
> Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils
> through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as
> demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
> BID - 67121
> BUGTRAQ - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
> CONFIRM - http://advisories.mageia.org/MGASA-2014-0219.html
> CONFIRM - http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt
> CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21674128
> CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21674812
> CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675266
> CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675387
> CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675689
> CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675898
> CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675972
> CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676091
> CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676110
> CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676303
> CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676375
> CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676931
> CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677110
> CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg27042296
> CONFIRM - http://www.ibm.com/support/docview.wss?uid=swg21675496
> CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
> CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
> CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
> CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
> CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
> CONFIRM - http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
> CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0008.html
> CONFIRM - http://www.vmware.com/security/advisories/VMSA-2



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)