You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@activemq.apache.org by Aditya Nautiyal <ad...@algosec.com.INVALID> on 2022/04/11 07:48:19 UTC

Critical : CVE-2022-22965 : SpringShell Vulnerability affecting Apache-tomcat

Hi Team,
Our scanners are started complaining about SpringShell Critical issues under /opt/apache-activemq* as shown below :
[cid:image001.png@01D84DA6.9A9C6400]

We recently upgraded our systems to 5.16.4, can you please advise what is the plan to remediate this from ActiveMQ side on this.

[cid:image002.jpg@01D84DA6.9A9C6400]

First Last
Job Title
Office: +xxx+xx+xxxxxxx
Mobile: +xxx+xx+xxxxxxx

[Logo  Description automatically generated]
www.algosec.com<http://www.algosec.com/?utm_source=email&utm_medium=corp+email+signature&utm_campaign=email+signature>

Re: Critical : CVE-2022-22965 : SpringShell Vulnerability affecting Apache-tomcat

Posted by Matt Pavlovich <ma...@gmail.com>.

Hello Aditya-

ActiveMQ is not vulnerable— the current exploits require spring web components, be running in Tomcat as a war and using JDK 9+. 

Which security scanner are you using? It sounds like it is over zealous in identifying problematic instances.

Thanks,
Matt Pavlovich

> On Apr 11, 2022, at 2:48 AM, Aditya Nautiyal <ad...@algosec.com.INVALID> wrote:
> 
> Hi Team,
> Our scanners are started complaining about SpringShell Critical issues under /opt/apache-activemq* as shown below :
> 
>  
> We recently upgraded our systems to 5.16.4, can you please advise what is the plan to remediate this from ActiveMQ side on this.
>  
> 
>  
> First Last
> Job Title
> Office: +xxx+xx+xxxxxxx
> Mobile: +xxx+xx+xxxxxxx
>  
> 
> www.algosec.com <http://www.algosec.com/?utm_source=email&utm_medium=corp+email+signature&utm_campaign=email+signature>