You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Justin Bertram (Jira)" <ji...@apache.org> on 2020/11/17 14:50:00 UTC

[jira] [Resolved] (ARTEMIS-2938) Update to latest Apache ActiveMQ Client to resolve CVEs

     [ https://issues.apache.org/jira/browse/ARTEMIS-2938?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Justin Bertram resolved ARTEMIS-2938.
-------------------------------------
    Fix Version/s: 2.17.0
       Resolution: Fixed

> Update to latest Apache ActiveMQ Client to resolve CVEs
> -------------------------------------------------------
>
>                 Key: ARTEMIS-2938
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-2938
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>          Components: OpenWire
>    Affects Versions: 2.15.0
>            Reporter: Rico Neubauer
>            Priority: Major
>             Fix For: 2.17.0
>
>         Attachments: ARTEMIS-2938-Update-to-latest-Apache-ActiveMQ-Client-to-r.patch
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Hi,
> artemis-openwire-protocol embeds dependency org.apache.activemq:activemq-client.
> Version is defined in main pom.xml and currently 5.14.5. ([Link|https://github.com/apache/activemq-artemis/blob/master/pom.xml#L87])
> 5.14.5 has the following vulnerabilities:
> {noformat}
> CVE-2018-11775 (BDSA-2018-3183): (7.4)
> --------------------------------
> TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.
> CVE-2019-0222 (BDSA-2019-0858): (7.5)
> -------------------------------
> In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.
> {noformat}
> I therefore kindly request to update the dependency to the latest version - 5.16.0 at time of writing.
> Ran a full verification build with 5.16.0, which was perfectly fine.
> Previous similar issue: ARTEMIS-118



--
This message was sent by Atlassian Jira
(v8.3.4#803005)