ActiveMQ cve vulnerabilities seen in latest version

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

ActiveMQ cve vulnerabilities seen in latest version

venu madhav
Hi team,

I am running a dummy project to scan the vulnerabilities using owasp dependency-check. The project doesn't contain anything except for the activemq jars added as dependencies in the pom.xml. Even when we use the latest version of activemq-kahadb-store jar (5.15.9 version) we see some vulnerabilities such as CVE-2018-11775 , CVE-2016-3088 which ideally should be fixed in the latest release as per mentioned in the link:
https://activemq.apache.org/components/classic/security  

Can you please check and tell if the issue is not fixed or NVD database is still showing the vulnerability even if the issue is fixed.

I have attached the pom.xml and the dependency check reports for your reference.

pom.xml (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ cve vulnerabilities seen in latest version

jbonofre
HI,

I gonna take a look. If the CVE has been published, they should be fixed
already. The point is more on which branch it has been fixed.

So, let me do a pass as I'm preparing 5.15.10.

Regards
JB

On 04/07/2019 06:01, venu madhav wrote:

> Hi team,
>
> I am running a dummy project to scan the vulnerabilities using owasp
> dependency-check. The project doesn't contain anything except for the
> activemq jars added as dependencies in the pom.xml. Even when we use the
> latest version of activemq-kahadb-store jar (5.15.9 version) we see some
> vulnerabilities such as CVE-2018-11775 , CVE-2016-3088 which ideally
> should be fixed in the latest release as per mentioned in the link:
> https://activemq.apache.org/components/classic/security  
>
> Can you please check and tell if the issue is not fixed or NVD database
> is still showing the vulnerability even if the issue is fixed.
>
> I have attached the pom.xml and the dependency check reports for your
> reference.

--
Jean-Baptiste Onofré
[hidden email]
http://blog.nanthrax.net
Talend - http://www.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ cve vulnerabilities seen in latest version

venu madhav
Hi JB,

Did you get a chance to look into this?  Can you please confirm if the
mentioned vulnerabilities are already fixed from activemq end?


Thanks and regards,
Venu

On Thu, Jul 4, 2019 at 10:09 AM Jean-Baptiste Onofré <[hidden email]>
wrote:

> HI,
>
> I gonna take a look. If the CVE has been published, they should be fixed
> already. The point is more on which branch it has been fixed.
>
> So, let me do a pass as I'm preparing 5.15.10.
>
> Regards
> JB
>
> On 04/07/2019 06:01, venu madhav wrote:
> > Hi team,
> >
> > I am running a dummy project to scan the vulnerabilities using owasp
> > dependency-check. The project doesn't contain anything except for the
> > activemq jars added as dependencies in the pom.xml. Even when we use the
> > latest version of activemq-kahadb-store jar (5.15.9 version) we see some
> > vulnerabilities such as CVE-2018-11775 , CVE-2016-3088 which ideally
> > should be fixed in the latest release as per mentioned in the link:
> > https://activemq.apache.org/components/classic/security
> >
> > Can you please check and tell if the issue is not fixed or NVD database
> > is still showing the vulnerability even if the issue is fixed.
> >
> > I have attached the pom.xml and the dependency check reports for your
> > reference.
>
> --
> Jean-Baptiste Onofré
> [hidden email]
> http://blog.nanthrax.net
> Talend - http://www.talend.com
>
Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ cve vulnerabilities seen in latest version

Bruce Snyder
In reply to this post by jbonofre
JB, here's the email announcing the CVE and indicates that it was fixed in
the 5.15.6 release:

https://lists.apache.org/list.html?dev@...:2018-9

Here is the JIRA issue:

https://issues.apache.org/jira/browse/AMQ-7047

I do see that this was cherry picked into the 5.15.x branch, so you should
be able to chase it down further from the info there.

Bruce

On Wed, Jul 3, 2019 at 10:39 PM Jean-Baptiste Onofré <[hidden email]>
wrote:

> HI,
>
> I gonna take a look. If the CVE has been published, they should be fixed
> already. The point is more on which branch it has been fixed.
>
> So, let me do a pass as I'm preparing 5.15.10.
>
> Regards
> JB
>
> On 04/07/2019 06:01, venu madhav wrote:
> > Hi team,
> >
> > I am running a dummy project to scan the vulnerabilities using owasp
> > dependency-check. The project doesn't contain anything except for the
> > activemq jars added as dependencies in the pom.xml. Even when we use the
> > latest version of activemq-kahadb-store jar (5.15.9 version) we see some
> > vulnerabilities such as CVE-2018-11775 , CVE-2016-3088 which ideally
> > should be fixed in the latest release as per mentioned in the link:
> > https://activemq.apache.org/components/classic/security
> >
> > Can you please check and tell if the issue is not fixed or NVD database
> > is still showing the vulnerability even if the issue is fixed.
> >
> > I have attached the pom.xml and the dependency check reports for your
> > reference.
>
> --
> Jean-Baptiste Onofré
> [hidden email]
> http://blog.nanthrax.net
> Talend - http://www.talend.com
>


--
perl -e 'print
unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*" );'

ActiveMQ in Action: http://bit.ly/2je6cQ
Blog: http://bsnyder.org/ <http://bruceblog.org/>
Twitter: http://twitter.com/brucesnyder