[
https://issues.apache.org/jira/browse/AMQ-6995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Christopher L. Shannon closed AMQ-6995.
---------------------------------------
Resolution: Invalid
This appears to be referring to Jboss AMQ, which is not the same thing as
ActiveMQ. ActiveMQ does not contain or use hawtio
> ActiveMQ 5.15.4 activemq-ra-5.15.4.jar which has two high severity CVEs
> against it.
> -----------------------------------------------------------------------------------
>
> Key: AMQ-6995
> URL: https://issues.apache.org/jira/browse/AMQ-6995
> Project: ActiveMQ
> Issue Type: Bug
> Components: webconsole
> Affects Versions: 5.15.4
> Environment: Environment: Customer environment is a mix of Linux and
> Windows, Gig-LAN (Medical & Finacial services). Will not accept the risk of
> having even one high severity CVE in thier environment. The cost of
> (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed
> systems.
> Reporter: Albert Baker
> Priority: Blocker
>
> CVE-2015-5183 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-254 Security Features
> The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes on
> cookies.
> CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1249182
> Vulnerable Software & Versions:
> cpe:/a:apache:activemq:-
> CVE-2015-5184 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-254 Security Features
> The Hawtio console in A-MQ allows remote attackers to obtain sensitive
> information and perform other unspecified impact.
> CONFIRM - https://bugzilla.redhat.c
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
