@JB — Agreed, so far there is no published exploit that would impact ActiveMQ.
Here is the lates I was able to find from Spring regarding backports (sounds like no 4.x patch is coming): ref: https://github.com/spring-projects/spring-framework/issues/28260 <https://github.com/spring-projects/spring-framework/issues/28260> Thanks, Matt Pavlovich > On Mar 31, 2022, at 9:10 AM, Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > > Hi, > > We can "invite" our users to upgrade to 5.17.x asap. However, a lot of > users are still using 5.15.x/5.16.x, so, I would not be too "strict" > ;) > > In the context of ActiveMQ, the CVE is not very severe IMHO. > > Regards > JB > > On Thu, Mar 31, 2022 at 4:05 PM Matt Pavlovich <mattr...@gmail.com> wrote: >> >> @JB— >> >> The Spring release documentation is indicating that “older unsupported” >> releases impacted— ie Spring 4.x used by ActiveMQ 5.16.x. >> >> If we do not get a Spring 4.x fix, we may need a corresponding announcement >> deprecating 5.16.x. >> >> Thoughts? >> Matt Pavlovich >> >>> On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <j...@nanthrax.net> wrote: >>> >>> Hi guys, >>> >>> I would like to prepare ActiveMQ 5.17.1 release this week, probably to >>> submit it to vote during the weekend or next week. >>> >>> One of the main reasons is to update to Spring 5.3.18 which includes >>> CVE fixes >>> (https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement). >>> I also have other fixes/updates to add. >>> >>> Regards >>> JB >>
