As Clebert noted, WildFly *doesn't ship* any of the libraries affected by CVE-2023-46604 (i.e. activemq-client.jar & activemq-openwire-legacy.jar) so it's not vulnerable unless you've manually configured support for OpenWire and added such libraries yourself. If that's the case then you can simply upgrade them to the corresponding minor version with the fix.
Justin On Fri, Nov 10, 2023 at 12:59 AM Bhargav Budida <bhargav.bud...@gmail.com> wrote: > Thanks for your responses. > > We are currently using *JDK 1.8 *and we understand the latest supported > activeMQ-artemis version is 2.19.1 > Actually, we can't upgrade the JDK 1.8 version immediately due to some > backward compatibility issues. > However, looking at the criticality of the vulnerability *CVE-2023-46604*, > we are eagerly looking for a solution keeping JDK8 and related compatible > activeMQ-artemis version 2.19.x > So do you have a fix with 2.19.x version? if not, could you please let us > know the plan to fix the mentioned CVE in 2.19.x version. > > > > On Fri, Nov 10, 2023 at 9:04 AM Clebert Suconic <clebert.suco...@gmail.com > > > wrote: > > > The Artemis in wildfly is not affected by the CVE as openwire is not > > deployed in openwire. > > > > > > Also 2.31 requires jdk 11 but I think it’s a worth choice as there are > many > > fixes in the broker. > > > > On Thu, Nov 9, 2023 at 9:40 AM Bhargav Budida <bhargav.bud...@gmail.com> > > wrote: > > > > > Hi Team, > > > > > > This is regarding a recent vulnerability > > > CVE-2023-46604 > > > I am currently using *activeMQ-artemis 2.16.0*, (Jboss) *Wildfly 24.0.0 > > > *and > > > *JDK 1.8*. > > > > > > The latest version of activeMQ-artemis 2.31.2 is not supported by > jdk1.8. > > > So I need your assistance with the below queries > > > 1. Will activeMQ artemis 2.31.2 is compatible with JDK 11 + Wildfly > > > 24.0.0.final or not ? > > > 2. Are there any configurations required to work with the latest > artemis > > > 2.31.2 version, so that it could be compatible with my current server > > > (Wildfly 24.0.0) version > > > 3. As per the mitigation plan over CVE we need to upgrade to 2.31.2 > > version > > > which is compatible with JDK 11, similar to this do we have the fix in > > > artemis 2.19.x version? as it is compatible with JDK 8. > > > > > > Please consider this a priority and share your thoughts ASAP. > > > Thanks in advance > > > > > > -- > > > Thanks & Regards > > > Bhargav > > > 9860584899 > > > > > > > > -- > Thanks & Regards > Bhargav > 9860584899 >
