One more note— the current exploit _requires_ JDK 9+, so many 5.15.x and some 5.16.x would not be impacted.
> On Mar 31, 2022, at 9:21 AM, Matt Pavlovich <mattr...@gmail.com> wrote: > > @JB — Agreed, so far there is no published exploit that would impact > ActiveMQ. > > Here is the lates I was able to find from Spring regarding backports (sounds > like no 4.x patch is coming): > > ref: https://github.com/spring-projects/spring-framework/issues/28260 > <https://github.com/spring-projects/spring-framework/issues/28260> > > Thanks, > Matt Pavlovich > >> On Mar 31, 2022, at 9:10 AM, Jean-Baptiste Onofré <j...@nanthrax.net >> <mailto:j...@nanthrax.net>> wrote: >> >> Hi, >> >> We can "invite" our users to upgrade to 5.17.x asap. However, a lot of >> users are still using 5.15.x/5.16.x, so, I would not be too "strict" >> ;) >> >> In the context of ActiveMQ, the CVE is not very severe IMHO. >> >> Regards >> JB >> >> On Thu, Mar 31, 2022 at 4:05 PM Matt Pavlovich <mattr...@gmail.com >> <mailto:mattr...@gmail.com>> wrote: >>> >>> @JB— >>> >>> The Spring release documentation is indicating that “older unsupported” >>> releases impacted— ie Spring 4.x used by ActiveMQ 5.16.x. >>> >>> If we do not get a Spring 4.x fix, we may need a corresponding announcement >>> deprecating 5.16.x. >>> >>> Thoughts? >>> Matt Pavlovich >>> >>>> On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <j...@nanthrax.net >>>> <mailto:j...@nanthrax.net>> wrote: >>>> >>>> Hi guys, >>>> >>>> I would like to prepare ActiveMQ 5.17.1 release this week, probably to >>>> submit it to vote during the weekend or next week. >>>> >>>> One of the main reasons is to update to Spring 5.3.18 which includes >>>> CVE fixes >>>> (https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement >>>> <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>). >>>> I also have other fixes/updates to add. >>>> >>>> Regards >>>> JB >>> >
