You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by venu madhav <ve...@gmail.com> on 2019/07/04 04:01:04 UTC
ActiveMQ cve vulnerabilities seen in latest version
Hi team,
I am running a dummy project to scan the vulnerabilities using owasp
dependency-check. The project doesn't contain anything except for the
activemq jars added as dependencies in the pom.xml. Even when we use the
latest version of activemq-kahadb-store jar (5.15.9 version) we see some
vulnerabilities such as CVE-2018-11775 , CVE-2016-3088 which ideally should
be fixed in the latest release as per mentioned in the link:
https://activemq.apache.org/components/classic/security
Can you please check and tell if the issue is not fixed or NVD database is
still showing the vulnerability even if the issue is fixed.
I have attached the pom.xml and the dependency check reports for your
reference.
Re: ActiveMQ cve vulnerabilities seen in latest version
Posted by venu madhav <ve...@gmail.com>.
Hi JB,
Did you get a chance to look into this? Can you please confirm if the
mentioned vulnerabilities are already fixed from activemq end?
Thanks and regards,
Venu
On Thu, Jul 4, 2019 at 10:09 AM Jean-Baptiste Onofré <jb...@nanthrax.net>
wrote:
> HI,
>
> I gonna take a look. If the CVE has been published, they should be fixed
> already. The point is more on which branch it has been fixed.
>
> So, let me do a pass as I'm preparing 5.15.10.
>
> Regards
> JB
>
> On 04/07/2019 06:01, venu madhav wrote:
> > Hi team,
> >
> > I am running a dummy project to scan the vulnerabilities using owasp
> > dependency-check. The project doesn't contain anything except for the
> > activemq jars added as dependencies in the pom.xml. Even when we use the
> > latest version of activemq-kahadb-store jar (5.15.9 version) we see some
> > vulnerabilities such as CVE-2018-11775 , CVE-2016-3088 which ideally
> > should be fixed in the latest release as per mentioned in the link:
> > https://activemq.apache.org/components/classic/security
> >
> > Can you please check and tell if the issue is not fixed or NVD database
> > is still showing the vulnerability even if the issue is fixed.
> >
> > I have attached the pom.xml and the dependency check reports for your
> > reference.
>
> --
> Jean-Baptiste Onofré
> jbonofre@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com
>
Re: ActiveMQ cve vulnerabilities seen in latest version
Posted by Bruce Snyder <br...@gmail.com>.
JB, here's the email announcing the CVE and indicates that it was fixed in
the 5.15.6 release:
https://lists.apache.org/list.html?dev@activemq.apache.org:2018-9
Here is the JIRA issue:
https://issues.apache.org/jira/browse/AMQ-7047
I do see that this was cherry picked into the 5.15.x branch, so you should
be able to chase it down further from the info there.
Bruce
On Wed, Jul 3, 2019 at 10:39 PM Jean-Baptiste Onofré <jb...@nanthrax.net>
wrote:
> HI,
>
> I gonna take a look. If the CVE has been published, they should be fixed
> already. The point is more on which branch it has been fixed.
>
> So, let me do a pass as I'm preparing 5.15.10.
>
> Regards
> JB
>
> On 04/07/2019 06:01, venu madhav wrote:
> > Hi team,
> >
> > I am running a dummy project to scan the vulnerabilities using owasp
> > dependency-check. The project doesn't contain anything except for the
> > activemq jars added as dependencies in the pom.xml. Even when we use the
> > latest version of activemq-kahadb-store jar (5.15.9 version) we see some
> > vulnerabilities such as CVE-2018-11775 , CVE-2016-3088 which ideally
> > should be fixed in the latest release as per mentioned in the link:
> > https://activemq.apache.org/components/classic/security
> >
> > Can you please check and tell if the issue is not fixed or NVD database
> > is still showing the vulnerability even if the issue is fixed.
> >
> > I have attached the pom.xml and the dependency check reports for your
> > reference.
>
> --
> Jean-Baptiste Onofré
> jbonofre@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com
>
--
perl -e 'print
unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*" );'
ActiveMQ in Action: http://bit.ly/2je6cQ
Blog: http://bsnyder.org/ <http://bruceblog.org/>
Twitter: http://twitter.com/brucesnyder
Re: ActiveMQ cve vulnerabilities seen in latest version
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
HI,
I gonna take a look. If the CVE has been published, they should be fixed
already. The point is more on which branch it has been fixed.
So, let me do a pass as I'm preparing 5.15.10.
Regards
JB
On 04/07/2019 06:01, venu madhav wrote:
> Hi team,
>
> I am running a dummy project to scan the vulnerabilities using owasp
> dependency-check. The project doesn't contain anything except for the
> activemq jars added as dependencies in the pom.xml. Even when we use the
> latest version of activemq-kahadb-store jar (5.15.9 version) we see some
> vulnerabilities such as CVE-2018-11775 , CVE-2016-3088 which ideally
> should be fixed in the latest release as per mentioned in the link:
> https://activemq.apache.org/components/classic/security
>
> Can you please check and tell if the issue is not fixed or NVD database
> is still showing the vulnerability even if the issue is fixed.
>
> I have attached the pom.xml and the dependency check reports for your
> reference.
--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com