[jira] [Closed] (AMQ-6993) ActiveMQ 5.15.4 activeio-core-3.1.4.jar which has three high severity CVEs against it.

Tue, 24 Jul 2018 03:46:11 -0700 


     [ 
https://issues.apache.org/jira/browse/AMQ-6993?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Christopher L. Shannon closed AMQ-6993.
---------------------------------------
    Resolution: Invalid

These issues are reported against JBoss AMQ which uses Hawtio and not ActiveMQ 
which does not use Hawtio

> ActiveMQ 5.15.4 activeio-core-3.1.4.jar  which has three high severity CVEs 
> against it.
> ---------------------------------------------------------------------------------------
>
>                 Key: AMQ-6993
>                 URL: https://issues.apache.org/jira/browse/AMQ-6993
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: webconsole
>    Affects Versions: 5.15.4
>         Environment: Environment: Customer environment is a mix of Linux and 
> Windows, Gig-LAN (Medical & Finacial services).  Will not accept the risk of 
> having even one high severity CVE in thier environment. The cost of 
> (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed 
> systems.
>            Reporter: Albert Baker
>            Priority: Blocker
>
> ActiveMQ 5.15.4 activeio-core-3.1.4.jar  which has three high severity CVEs 
> against it.
> Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running 
> the OWASP report.
> CVE-2015-5183 suppress
> Severity:High
> CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-254 Security Features
> The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes on 
> cookies.
> CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1249182
> Vulnerable Software & Versions:
> cpe:/a:apache:activemq:-
> CVE-2015-5184 Severity:High
> CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-254 Security Features
> The Hawtio console in A-MQ allows remote attackers to obtain sensitive 
> information and perform other unspecified impact.
> CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1249183
> Vulnerable Software & Versions:
> cpe:/a:apache:activemq:-
> CVE-2016-3088 Severity:High
> CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-20 Improper Input Validation
> The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows 
> remote attackers to upload and execute arbitrary files via an HTTP PUT 
> followed by an HTTP
> MOVE request.
> CONFIRM - 
> http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
> EXPLOIT-DB - 42283
> MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-356
> MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-357
> REDHAT - RHSA-2016:2036
> SECTRACK - 1035951
> Vulnerable Software & Versions:
> cpe:/a:apache:activemq:5.13.3 and all previous versions



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to