Hi, ActiveMQ 5.18.x will be out of support as soon as 6.2.x will be out, so pretty quickly.
ActiveMQ 5.18.x is there (still) for people still using Java 11 and Spring 5. We already strongly advice the users to upgrade to ActiveMQ 6.x. IMHO, CVE-2024-38816 doesn't impact ActiveMQ as we are not using RoutingFunction in the ActiveMQ Console. So, about this CVE, no impact for ActiveMQ WebConsole. About your larger question, I think it's fine as 5.18.x won't be supported soon and users can already upgrade to ActiveMQ 6.x. Regards JB On Wed, Nov 27, 2024 at 11:05 PM Ken Liao <kenlia...@gmail.com> wrote: > > Hi Matthew, > > CVE-2024-38819 <https://spring.io/security/cve-2024-38819> is similar to > CVE-2024-38816 <https://spring.io/security/cve-2024-38816> and from the > description > > Specifically, an application is vulnerable when both of the following are > true: > > - the web application uses RouterFunctions to serve static resources > - resource handling is explicitly configured with a FileSystemResource > location > > > This CVE is an issue if these two statements are true. Performing a simple > code search on the activemq-5.18.x branch, there's no use of > RouterFunctions anywhere. So from this quick inspection, it seems to me > that ActiveMQ 5 is not impacted by this CVE. Nevertheless, I am not > familiar with how the web console of ActiveMQ works yet. Could someone with > more knowledge on it chime in and confirm this CVE doesn't actually impact > ActiveMQ 5.18.x? > > In my opinion, a bigger problem is that ActiveMQ 5.18.x is being actively > supported per https://activemq.apache.org/components/classic/download/ but > it is stuck with a dependency (Spring 5 open source release in this case) > that is out of support. How should we address this problem (and future > problems for its other dependencies) other than warning the users about it? > > Thanks, > Ken > > On Wed, Nov 27, 2024 at 10:13 AM Matthew Gay > <matthew....@broadcom.com.invalid> wrote: > > > Hi Ken, > > > > It was this one: > > > > https://spring.io/security/cve-2024-38819 > > > > Thanks! > > Matt > > > > > > Matthew Gay > > > > Principal Support Engineer | Agile Operations Division > > > > Broadcom > > > > matthew....@broadcom.com > > > > Twitter <https://twitter.com/BroadcomSW> | LinkedIn > > <https://www.linkedin.com/company/broadcomsoftware> > > > > > > *To help expedite routing to the correct SME, please follow these > > **SUGGESTIONS > > <https://knowledge.broadcom.com/external/article?articleId=275717> when > > opening a DX NetOps case* > > > > > > On Wed, Nov 27, 2024 at 1:12 PM Ken Liao <kenlia...@gmail.com> wrote: > > > >> Matt, the CVE you are referring to is this one > >> https://spring.io/security/cve-2024-38816 ? > >> > >> Thanks, > >> Ken > >> > >> On Wed, Nov 27, 2024 at 7:51 AM Matt Pavlovich <mattr...@gmail.com> > >> wrote: > >> > >> > Matthew- > >> > > >> > The workaround for the Spring MVC CVE is to disable the web console by > >> > removing the jetty.xml import from the activemq.xml. > >> > > >> > We have been discussing removing Spring as a required dependency for > >> > ActiveMQ and I expect this situation to expedite those efforts. > >> > > >> > On a seemingly ironic or perhaps Shakespearian comical related note— I > >> > would request that you bubble up the request to the management at > >> Broadcom. > >> > Broadcom purchased VMWare (which I believe still owns SpringSource and > >> the > >> > Spring dev team), so Broadcom management is fully in a position to solve > >> > this pain point impacting Broadcom by simply approving an open source > >> > release with the CVE fix. > >> > > >> > Thanks, > >> > Matt Pavlovich > >> > > >> > > On Nov 26, 2024, at 11:50 AM, Jean-Baptiste Onofré <j...@nanthrax.net> > >> > wrote: > >> > > > >> > > Hi, > >> > > > >> > > Spring doesn't provide new versions on 5.3.x outside of enterprise > >> > support. > >> > > > >> > > You can see that 5.3.41 is not available on Maven Central (it's only > >> on > >> > > private Spring repo). > >> > > > >> > > So, I strongly encourage to upgrade to new ActiveMQ version that use > >> new > >> > > Spring version. > >> > > > >> > > Regards > >> > > JB > >> > > > >> > > > >> > > On Tue, Nov 26, 2024 at 5:12 PM Matthew Gay > >> > > <matthew....@broadcom.com.invalid> wrote: > >> > > > >> > >> Sorry, I got my versions mixed up. > >> > >> > >> > >> Spring 5.3.39 is currently shipped with AMQ and is vulnerable. > >> > >> 5.3.41 resolves those vulnerabilities. > >> > >> > >> > >> What version of AMQ will be updating Spring to that version? > >> > >> I see on your link provided (thank you) that it is still 5.3.39 with > >> a > >> > >> release date of late December. > >> > >> > >> > >> Shouldn't AMQ include the latest Spring? > >> > >> > >> > >> > >> > >> Matthew Gay > >> > >> > >> > >> Principal Support Engineer | Agile Operations Division > >> > >> > >> > >> Broadcom > >> > >> > >> > >> matthew....@broadcom.com > >> > >> > >> > >> Twitter <https://twitter.com/BroadcomSW> | LinkedIn > >> > >> <https://www.linkedin.com/company/broadcomsoftware> > >> > >> > >> > >> > >> > >> *To help expedite routing to the correct SME, please follow these > >> > **SUGGESTIONS > >> > >> <https://knowledge.broadcom.com/external/article?articleId=275717> > >> when > >> > >> opening a DX NetOps case* > >> > >> > >> > >> > >> > >> On Tue, Nov 26, 2024 at 10:57 AM Jean-Baptiste Onofré < > >> j...@nanthrax.net> > >> > >> wrote: > >> > >> > >> > >>> Hi Matt > >> > >>> > >> > >>> Not sure I understand: Spring 5.18.41 doesn't exist afaik ( > >> > >>> https://repo1.maven.org/maven2/org/springframework/spring-core/). > >> > >>> > >> > >>> ActiveMQ 5.18.x is using Spring 5.3.39. > >> > >>> > >> > >>> You can find Spring versions used on the table here: > >> > >>> https://activemq.apache.org/components/classic/download/ (in the > >> > >>> schedule & > >> > >>> status section). > >> > >>> > >> > >>> Regards > >> > >>> JB > >> > >>> > >> > >>> On Tue, Nov 26, 2024 at 4:45 PM Matthew Gay > >> > >>> <matthew....@broadcom.com.invalid> wrote: > >> > >>> > >> > >>>> Hi Team, > >> > >>>> > >> > >>>> Is there any timeline or versioning available for when AMQ will > >> update > >> > >>> to > >> > >>>> Spring 5.18.41? > >> > >>>> > >> > >>>> Thanks! > >> > >>>> Matt > >> > >>>> > >> > >>>> > >> > >>>> Matthew Gay > >> > >>>> > >> > >>>> Principal Support Engineer | Agile Operations Division > >> > >>>> > >> > >>>> Broadcom > >> > >>>> > >> > >>>> matthew....@broadcom.com > >> > >>>> > >> > >>>> Twitter <https://twitter.com/BroadcomSW> | LinkedIn > >> > >>>> <https://www.linkedin.com/company/broadcomsoftware> > >> > >>>> > >> > >>>> > >> > >>>> *To help expedite routing to the correct SME, please follow these > >> > >>> **SUGGESTIONS > >> > >>>> <https://knowledge.broadcom.com/external/article?articleId=275717> > >> > when > >> > >>>> opening a DX NetOps case* > >> > >>>> > >> > >>>> This electronic communication and the information and any files > >> > >>>> transmitted with it, or attached to it, are confidential and are > >> > >>> intended > >> > >>>> solely for the use of the individual or entity to whom it is > >> addressed > >> > >>> and > >> > >>>> may contain information that is confidential, legally privileged, > >> > >>> protected > >> > >>>> by privacy laws, or otherwise restricted from disclosure to anyone > >> > >>> else. If > >> > >>>> you are not the intended recipient or the person responsible for > >> > >>> delivering > >> > >>>> the e-mail to the intended recipient, you are hereby notified that > >> any > >> > >>> use, > >> > >>>> copying, distributing, dissemination, forwarding, printing, or > >> copying > >> > >>> of > >> > >>>> this e-mail is strictly prohibited. If you received this e-mail in > >> > >>> error, > >> > >>>> please return the e-mail to the sender, delete it from your > >> computer, > >> > >>> and > >> > >>>> destroy any printed copy of it. > >> > >>> > >> > >> > >> > >> This electronic communication and the information and any files > >> > >> transmitted with it, or attached to it, are confidential and are > >> > intended > >> > >> solely for the use of the individual or entity to whom it is > >> addressed > >> > and > >> > >> may contain information that is confidential, legally privileged, > >> > protected > >> > >> by privacy laws, or otherwise restricted from disclosure to anyone > >> > else. If > >> > >> you are not the intended recipient or the person responsible for > >> > delivering > >> > >> the e-mail to the intended recipient, you are hereby notified that > >> any > >> > use, > >> > >> copying, distributing, dissemination, forwarding, printing, or > >> copying > >> > of > >> > >> this e-mail is strictly prohibited. If you received this e-mail in > >> > error, > >> > >> please return the e-mail to the sender, delete it from your computer, > >> > and > >> > >> destroy any printed copy of it. > >> > > >> > > >> > --------------------------------------------------------------------- > >> > To unsubscribe, e-mail: dev-unsubscr...@activemq.apache.org > >> > For additional commands, e-mail: dev-h...@activemq.apache.org > >> > For further information, visit: https://activemq.apache.org/contact > >> > > >> > > >> > > >> > > > > This electronic communication and the information and any files > > transmitted with it, or attached to it, are confidential and are intended > > solely for the use of the individual or entity to whom it is addressed and > > may contain information that is confidential, legally privileged, protected > > by privacy laws, or otherwise restricted from disclosure to anyone else. If > > you are not the intended recipient or the person responsible for delivering > > the e-mail to the intended recipient, you are hereby notified that any use, > > copying, distributing, dissemination, forwarding, printing, or copying of > > this e-mail is strictly prohibited. If you received this e-mail in error, > > please return the e-mail to the sender, delete it from your computer, and > > destroy any printed copy of it. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@activemq.apache.org For additional commands, e-mail: dev-h...@activemq.apache.org For further information, visit: https://activemq.apache.org/contact
