You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2018/07/24 16:37:00 UTC
[jira] [Commented] (AMQ-6994) ActiveMQ 5.15.4
tomcat-servlet-api-8.0.24.jar which has four high severity CVEs against
it.
[ https://issues.apache.org/jira/browse/AMQ-6994?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16554499#comment-16554499 ]
ASF subversion and git services commented on AMQ-6994:
------------------------------------------------------
Commit 3ec0831b05c11489c6cae51e27a3d67ab3afbe85 in activemq's branch refs/heads/activemq-5.15.x from [~tabish121]
[ https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=3ec0831 ]
AMQ-6994 Update tomcat API version to laetst 8.0.x series
Updates version to 8.0.53 to bring in fixes
(cherry picked from commit b4513004bcb925788e49ff9a067a120abf226d37)
> ActiveMQ 5.15.4 tomcat-servlet-api-8.0.24.jar which has four high severity CVEs against it.
> --------------------------------------------------------------------------------------------
>
> Key: AMQ-6994
> URL: https://issues.apache.org/jira/browse/AMQ-6994
> Project: ActiveMQ
> Issue Type: Bug
> Components: webconsole
> Affects Versions: 5.15.4
> Environment: Environment: Customer environment is a mix of Linux and Windows, Gig-LAN (Medical & Finacial services). Will not accept the risk of having even one high severity CVE in thier environment. The cost of (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed systems.
> Reporter: Albert Baker
> Priority: Blocker
>
> ActiveMQ 5.15.4 tomcat-servlet-api-8.0.24.jar which has four high severity CVEs against it.
> Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report.
> Referenced In Projects/Scopes:
> ActiveMQ :: Assembly:compile
> ActiveMQ :: Web:provided
> ActiveMQ :: Web Console:provided
> CVE-2016-3092 Severity:High CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
> CWE: CWE-20 Improper Input Validation
> The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before
> 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
> BID - 91453
> CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743480
> CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743722
> CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743738
> CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743742
> CONFIRM - http://tomcat.apache.org/security-7.html
> CONFIRM - http://tomcat.apache.org/security-8.html
> CONFIRM - http://tomcat.apache.org/security-9.html
> CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
> CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
> CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
> CONFIRM - http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
> CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1349468
> CONFIRM - https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371
> CONFIRM - https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840
> CONFIRM - https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
> DEBIAN - DSA-3609
> DEBIAN - DSA-3611
> DEBIAN - DSA-3614
> GENTOO - GLSA-201705-09
> JVN - JVN#89379547
> JVNDB - JVNDB-2016-000121
> MLIST - [dev] 20160621 CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability
> REDHAT - RHSA-2016:2068
> REDHAT - RHSA-2016:2069
> REDHAT - RHSA-2016:2070
> REDHAT - RHSA-2016:2071
> REDHAT - RHSA-2016:2072
> REDHAT - RHSA-2016:2599
> REDHAT - RHSA-2016:2807
> REDHAT - RHSA-2016:2808
> REDHAT - RHSA-2017:0455
> REDHAT - RHSA-2017:0456
> REDHAT - RHSA-2017:0457
> SECTRACK - 1036427
> SECTRACK - 1036900
> SECTRACK - 1037029
> SECTRACK - 1039606
> SUSE - openSUSE-SU-2016:2252
> UBUNTU - USN-3024-1
> UBUNTU - USN-3027-1
> Vulnerable Software & Versions: (show all)
> cpe:/a:apache:tomcat:8.0.24
> CVE-2016-5425 Severity:High CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
> CWE: CWE-264 Permissions, Privileges, and Access Controls
> The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib
> /tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
> BID - 93472
> CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
> EXPLOIT-DB - 40488
> MISC - http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html
> MISC - http://packetstormsecurity.com/files/139041/Apache-Tomcat-8-7-6-Privilege-Escalation.html
> MLIST - [oss-security] 20161010 CVE-2016-5425 - Apache Tomcat packaging on RedHat-based distros - Root Privilege Escalation (affecting CentOS, Fedora,
> OracleLinux, RedHat etc.)
> REDHAT - RHSA-2016:2046
> SECTRACK - 1036979
> Vulnerable Software & Versions:
> cpe:/a:apache:tomcat
> CVE-2016-6325 Severity:High CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
> CWE: CWE-264 Permissions, Privileges, and Access Controls
> The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and
> (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
> BID - 93478
> CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
> CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1367447
> REDHAT - RHSA-2016:2045
> REDHAT - RHSA-2016:2046
> REDHAT - RHSA-2017:0455
> REDHAT - RHSA-2017:0456
> REDHAT - RHSA-2017:0457
> Vulnerable Software & Versions:
> cpe:/a:apache:tomcat:-
> CVE-2016-8735 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-284 Improper Access Control
> Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if
> JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427
> Oracle patch that affected credential types.
> BID - 94463
> CONFIRM - http://seclists.org/oss-sec/2016/q4/502
> CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1767644
> CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1767656
> CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1767676
> CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1767684
> CONFIRM - http://tomcat.apache.org/security-6.html
> CONFIRM - http://tomcat.apache.org/security-7.html
> CONFIRM - http://tomcat.apache.org/security-8.html
> CONFIRM - http://tomcat.apache.org/security-9.html
> CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
> CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
> CONFIRM - https://security.netapp.com/advisory/ntap-20180607-0001/
> DEBIAN - DSA-3738
> REDHAT - RHSA-2017:0455
> REDHAT - RHSA-2017:0456
> REDHAT - RHSA-2017:0457
> SECTRACK - 1037331
> Vulnerable Software & Versions: (show all)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)