[jira] [Commented] (AMQ-6988) ActiveMQ 5.15.4 contains activemq-protobuf-1.1.jar which has three high severity CVEs against it.Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report

Mon, 18 Jun 2018 07:42:29 -0700 


    [ 
https://issues.apache.org/jira/browse/AMQ-6988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16515796#comment-16515796
 ] 

Albert Baker commented on AMQ-6988:
-----------------------------------

2.11 is the latest version in maven central :

[http://mvnrepository.com/artifact/org.apache.activemq.protobuf/activemq-protobuf]

Yet this CVE has been open for three yrs ?

 

> ActiveMQ 5.15.4 contains activemq-protobuf-1.1.jar which has three high 
> severity CVEs against it.Discovered by adding OWASP Dependency check into 
> ActiveMQ pom.xml and running the OWASP report
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-6988
>                 URL: https://issues.apache.org/jira/browse/AMQ-6988
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: webconsole
>    Affects Versions: 5.15.4
>         Environment: Environment: Customer environment is a mix of Linux and 
> Windows, Gig-LAN.  Will not accept the risk of having even one high severity 
> CVE in thier environment.
>            Reporter: Albert Baker
>            Priority: Blocker
>
> ActiveMQ 5.15.4 contains activemq-protobuf-1.1.jar which has two high 
> severity CVEs against it.
> Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running 
> the OWASP report
> CVE-2015-5183 Severity:High  CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-254 Security Features The Hawtio console in A-MQ does not set 
> HTTPOnly or Secure attributes on cookies.
> CVE-2015-5184 Severity:High   CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-254 Security Features The Hawtio console in A-MQ allows remote 
> attackers to obtain sensitive information and perform other unspecified 
> impact.
> CVE-2016-3088 Severity:High   CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-20 Improper Input Validation
> The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows 
> remote attackers to upload and execute arbitrary files via an HTTP PUT 
> followed by an HTTP MOVE request.
> CONFIRM - 
> http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
> EXPLOIT-DB - 42283
> MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-356
> MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-357
> REDHAT - RHSA-2016:2036



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to