Hi Bruce; Yees ActiveMQ 5.17.x requires JDK 11, and yes, client part doesn't use Spring (only broker does).
Regards JB On Fri, Apr 1, 2022 at 11:41 PM W B D <w...@users.sourceforge.net> wrote: > > Just to be clear, please advise, does ActiveMQ 5.17.x *require* JRE 11+ (or > >1.8 in any case) at runtime, even if only using the client JAR (without > the additional dependencies required to support embedded brokers using the > vm and peer transports, for example). > > And second, please confirm, I don't need to worry about these Spring > related vulnerabilities if using only the client JAR e.g. for tcp or > failover connections, with no embedded brokers. > > If this second point is correct, then at least it shouldn't be a big deal > if some of our client applications do need to reference ActiveMQ client > version 5.16.4, even after our broker(s) have been upgraded to 5.17.1+. > > Thanks, > Bruce D > > On Thu, Mar 31, 2022 at 7:56 AM Matt Pavlovich <mattr...@gmail.com> wrote: > > > One more note— the current exploit _requires_ JDK 9+, so many 5.15.x and > > some 5.16.x would not be impacted. > > > > > On Mar 31, 2022, at 9:21 AM, Matt Pavlovich <mattr...@gmail.com> wrote: > > > > > > @JB — Agreed, so far there is no published exploit that would impact > > ActiveMQ. > > > > > > Here is the lates I was able to find from Spring regarding backports > > (sounds like no 4.x patch is coming): > > > > > > ref: https://github.com/spring-projects/spring-framework/issues/28260 < > > https://github.com/spring-projects/spring-framework/issues/28260> > > > > > > Thanks, > > > Matt Pavlovich > > > > > >> On Mar 31, 2022, at 9:10 AM, Jean-Baptiste Onofré <j...@nanthrax.net > > <mailto:j...@nanthrax.net>> wrote: > > >> > > >> Hi, > > >> > > >> We can "invite" our users to upgrade to 5.17.x asap. However, a lot of > > >> users are still using 5.15.x/5.16.x, so, I would not be too "strict" > > >> ;) > > >> > > >> In the context of ActiveMQ, the CVE is not very severe IMHO. > > >> > > >> Regards > > >> JB > > >> > > >> On Thu, Mar 31, 2022 at 4:05 PM Matt Pavlovich <mattr...@gmail.com > > <mailto:mattr...@gmail.com>> wrote: > > >>> > > >>> @JB— > > >>> > > >>> The Spring release documentation is indicating that “older > > unsupported” releases impacted— ie Spring 4.x used by ActiveMQ 5.16.x. > > >>> > > >>> If we do not get a Spring 4.x fix, we may need a corresponding > > announcement deprecating 5.16.x. > > >>> > > >>> Thoughts? > > >>> Matt Pavlovich > > >>> > > >>>> On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <j...@nanthrax.net > > <mailto:j...@nanthrax.net>> wrote: > > >>>> > > >>>> Hi guys, > > >>>> > > >>>> I would like to prepare ActiveMQ 5.17.1 release this week, probably to > > >>>> submit it to vote during the weekend or next week. > > >>>> > > >>>> One of the main reasons is to update to Spring 5.3.18 which includes > > >>>> CVE fixes ( > > https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement > > <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement > > >). > > >>>> I also have other fixes/updates to add. > > >>>> > > >>>> Regards > > >>>> JB > > >>> > > > > > > >
