Hi Bruce;

Yees ActiveMQ 5.17.x requires JDK 11, and yes, client part doesn't use
Spring (only broker does).

Regards
JB

On Fri, Apr 1, 2022 at 11:41 PM W B D <w...@users.sourceforge.net> wrote:
>
> Just to be clear, please advise, does ActiveMQ 5.17.x *require* JRE 11+ (or
> >1.8 in any case) at runtime, even if only using the client JAR (without
> the additional dependencies required to support embedded brokers using the
> vm and peer transports, for example).
>
> And second, please confirm, I don't need to worry about these Spring
> related vulnerabilities if using only the client JAR e.g. for tcp or
> failover connections, with no embedded brokers.
>
> If this second point is correct, then at least it shouldn't be a big deal
> if some of our client applications do need to reference ActiveMQ client
> version 5.16.4, even after our broker(s) have been upgraded to 5.17.1+.
>
> Thanks,
> Bruce D
>
> On Thu, Mar 31, 2022 at 7:56 AM Matt Pavlovich <mattr...@gmail.com> wrote:
>
> > One more note— the current exploit _requires_ JDK 9+, so many 5.15.x and
> > some 5.16.x would not be impacted.
> >
> > > On Mar 31, 2022, at 9:21 AM, Matt Pavlovich <mattr...@gmail.com> wrote:
> > >
> > > @JB — Agreed, so far there is no published exploit that would impact
> > ActiveMQ.
> > >
> > > Here is the lates I was able to find from Spring regarding backports
> > (sounds like no 4.x patch is coming):
> > >
> > > ref: https://github.com/spring-projects/spring-framework/issues/28260 <
> > https://github.com/spring-projects/spring-framework/issues/28260>
> > >
> > > Thanks,
> > > Matt Pavlovich
> > >
> > >> On Mar 31, 2022, at 9:10 AM, Jean-Baptiste Onofré <j...@nanthrax.net
> > <mailto:j...@nanthrax.net>> wrote:
> > >>
> > >> Hi,
> > >>
> > >> We can "invite" our users to upgrade to 5.17.x asap. However, a lot of
> > >> users are still using 5.15.x/5.16.x, so, I would not be too "strict"
> > >> ;)
> > >>
> > >> In the context of ActiveMQ, the CVE is not very severe IMHO.
> > >>
> > >> Regards
> > >> JB
> > >>
> > >> On Thu, Mar 31, 2022 at 4:05 PM Matt Pavlovich <mattr...@gmail.com
> > <mailto:mattr...@gmail.com>> wrote:
> > >>>
> > >>> @JB—
> > >>>
> > >>> The Spring release documentation is indicating that “older
> > unsupported” releases impacted— ie Spring 4.x used by ActiveMQ 5.16.x.
> > >>>
> > >>> If we do not get a Spring 4.x fix, we may need a corresponding
> > announcement deprecating 5.16.x.
> > >>>
> > >>> Thoughts?
> > >>> Matt Pavlovich
> > >>>
> > >>>> On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <j...@nanthrax.net
> > <mailto:j...@nanthrax.net>> wrote:
> > >>>>
> > >>>> Hi guys,
> > >>>>
> > >>>> I would like to prepare ActiveMQ 5.17.1 release this week, probably to
> > >>>> submit it to vote during the weekend or next week.
> > >>>>
> > >>>> One of the main reasons is to update to Spring 5.3.18 which includes
> > >>>> CVE fixes (
> > https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
> > <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
> > >).
> > >>>> I also have other fixes/updates to add.
> > >>>>
> > >>>> Regards
> > >>>> JB
> > >>>
> > >
> >
> >

Reply via email to