I don't think there is any need for code change, just a lack of documentation or a reference to refer to the jolokia docs on how to lock down jolokia. https://jolokia.org/reference/html/security.html#security-policy-location
I have not looked into that in detail but my guess is it should be possible to add that config. On Fri, 18 Oct 2019 at 12:13, Colm O hEigeartaigh <[email protected]> wrote: > > Thanks Gary. OK so for 2 + 3, the issue is in Hawtio and not AMQ, so I will > alert NIST about changing the CPE score for these issues so that we don't > see CVEs appearing when scanning AMQ artifacts. > > Just to get a bit more clarity on your comment for point (1) - grepping the > AMQ source for "jolokia.policyLocation" doesn't throw anything up. There is > a reference in the Hawt IO source though for it ( > https://github.com/hawtio/hawtio/search?q=jolokia.policyLocation&unscoped_q=jolokia.policyLocation). > Does this mean the issue was not fixed in AMQ? > > Colm. > > On Thu, Oct 17, 2019 at 2:32 PM Gary Tully <[email protected]> wrote: > > > for 2 and 3, the fix is in the http endpoint configuration for hawtio > > for 1, configuring jolokia.policyLocation is all that is required. > > that was not possible in earlier versions of A-MQ. > > > > I don't think any of the above are relevant to activemq 5. > > > > > > On Thu, 17 Oct 2019 at 12:53, [email protected] <[email protected]> wrote: > > > > > > > > > Hi Colm > > > > > > I will do a review as I'm preparing 5.16.0 and 5.15.11 releases. > > > > > > Thanks for the reminder. > > > > > > Regards > > > JB > > > > > > On Thursday, October 17, 2019 13:52 CEST, Colm O hEigeartaigh < > > [email protected]> wrote: > > > Hi, > > > > > > I previously posted this to the private list (last year), but I didn't > > get > > > any reply - so maybe I'll have more luck here :-) > > > > > > I'd like to clear up 3 ActiveMQ CVEs that are reported at NIST, which > > have > > > no "fix" version associated with them. Please give me some feedback on > > the > > > following: > > > > > > 1) https://nvd.nist.gov/vuln/detail/CVE-2015-5182 ( > > > https://bugzilla.redhat.com/show_bug.cgi?id=1248809). The redhat bug is > > > marked as "WONTFIX", so I'm not sure if this was accepted as a valid > > issue > > > or not? > > > > > > 2) https://nvd.nist.gov/vuln/detail/CVE-2015-5183. This is reported > > against > > > the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we > > > don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing > > to > > > do with AMQ. Could someone confirm this? Was there any fix made to the > > AMQ > > > codebase for this issue? > > > > > > 3) https://nvd.nist.gov/vuln/detail/CVE-2015-5184. This is reported > > against > > > the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we > > > don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing > > to > > > do with AMQ. Could someone confirm this? Was there any fix made to the > > AMQ > > > codebase for this issue? > > > > > > I can communicate the findings with NIST to update the CVEs if I get some > > > feedback. > > > > > > Colm. > > > > > > > > > > >
