[ https://issues.apache.org/jira/browse/AMQ-6991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16553622#comment-16553622 ]
Jamie goodyear commented on AMQ-6991: ------------------------------------- The hadoop library is only used for testing LevelDB: ./activemq-leveldb-store/src/test/scala/org/apache/activemq/leveldb/dfs/DFSLevelDBClient.scala ./activemq-leveldb-store/src/test/scala/org/apache/activemq/leveldb/dfs/DFSLevelDBStore.scala ./activemq-leveldb-store/src/test/scala/org/apache/activemq/leveldb/test/TestingHDFSServer.scala ./activemq-leveldb-store/src/test/scala/org/apache/activemq/leveldb/test/DFSLevelDBFastEnqueueTest.scala The impact of using that library in a unit test is minimal - I'd suggest we could close this card as not-an-issue. > ActiveMQ 5.15.4 hadoop-core-1.0.0.jar which has two high severity CVEs > against it. > ---------------------------------------------------------------------------------- > > Key: AMQ-6991 > URL: https://issues.apache.org/jira/browse/AMQ-6991 > Project: ActiveMQ > Issue Type: Bug > Components: Broker > Affects Versions: 5.15.4 > Environment: Environment: Customer environment is a mix of Linux and > Windows, Gig-LAN (Medical & Finacial services). Will not accept the risk of > having even one high severity CVE in thier environment. The cost of > (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed > systems. > Reporter: Albert Baker > Priority: Blocker > > ActiveMQ 5.15.4 hadoop-core-1.0.0.jar which has two high severity CVEs > against it. > Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running > the OWASP report. > CVE-2012-4449 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) > CWE: CWE-327 Use of a Broken or Risky Cryptographic Algorithm > Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate > token passwords using a 20-bit secret when Kerberos security features are > enabled, which > makes it easier for context-dependent attackers to crack secret keys via a > brute-force attack. > CONFIRM - > https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#topic_1_0 > MLIST - [hadoop-general] 20121012 [ANNOUNCE] Hadoop-1.0.4 release, with > Security fix > Vulnerable Software & Versions: (show all) > cpe:/a:apache:hadoop:1.0.0 > CVE-2017-3162 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) > CWE: CWE-20 Improper Input Validation > HDFS clients interact with a servlet on the DataNode to browse the HDFS > namespace. The NameNode is provided as a query parameter that is not > validated in Apache > Hadoop before 2.7.0. > BID - 98017 > MLIST - [hadoop-common-dev] 20170425 CVE-2017-3162: Apache Hadoop DataNode > web UI vulnerability > Vulnerable Software & Versions: > cpe:/a:apache:hadoop:2.6.5 and all previous versions -- This message was sent by Atlassian JIRA (v7.6.3#76005)