You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2018/07/24 10:31:00 UTC
[jira] [Commented] (AMQ-6992) ActiveMQ 5.15.4
jackson-databind-2.9.4.jar which has one high severity CVEs against it.
[ https://issues.apache.org/jira/browse/AMQ-6992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16554065#comment-16554065 ]
ASF subversion and git services commented on AMQ-6992:
------------------------------------------------------
Commit 4a67dde130169f20a8b85fd145cf1e1431eed167 in activemq's branch refs/heads/master from Christopher L. Shannon (cshannon)
[ https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=4a67dde ]
AMQ-6992 - Update Jackson to latest version
> ActiveMQ 5.15.4 jackson-databind-2.9.4.jar which has one high severity CVEs against it.
> ---------------------------------------------------------------------------------------
>
> Key: AMQ-6992
> URL: https://issues.apache.org/jira/browse/AMQ-6992
> Project: ActiveMQ
> Issue Type: Bug
> Components: activemq-leveldb-store
> Affects Versions: 5.15.4
> Environment: Environment: Customer environment is a mix of Linux and Windows, Gig-LAN (Medical & Finacial services). Will not accept the risk of having even one high severity CVE in thier environment. The cost of (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed systems.
> Reporter: Albert Baker
> Assignee: Christopher L. Shannon
> Priority: Blocker
> Fix For: 5.16.0, 5.15.5
>
>
> ctiveMQ 5.15.4 jackson-databind-2.9.4.jar which has one high severity CVEs against it.
> Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report.
> CVE-2018-7489 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-184 Incomplete Blacklist
> FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525
> deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the
> c3p0 libraries are available in the classpath.
> BID - 103203
> CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
> CONFIRM - https://github.com/FasterXML/jackson-databind/issues/1931
> CONFIRM - https://security.netapp.com/advisory/ntap-20180328-0001/
> DEBIAN - DSA-4190
> REDHAT - RHSA-2018:1447
> REDHAT - RHSA-2018:1448
> REDHAT - RHSA-2018:1449
> REDHAT - RHSA-2018:1450
> REDHAT - RHSA-2018:1451
> REDHAT - RHSA-2018:1786
> SECTRACK - 1040693
> Vulnerable Software & Versions: (show all)
> cpe:/a:fasterxml:jackson-databind:2.9.4
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)