[jira] [Commented] (AMQ-6991) ActiveMQ 5.15.4 hadoop-core-1.0.0.jar which has two high severity CVEs against it.

Thu, 26 Jul 2018 15:17:30 -0700 


    [ 
https://issues.apache.org/jira/browse/AMQ-6991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16558970#comment-16558970
 ] 

Albert Baker commented on AMQ-6991:
-----------------------------------

Thanks Christopher !

> ActiveMQ 5.15.4 hadoop-core-1.0.0.jar which has two high severity CVEs 
> against it.
> ----------------------------------------------------------------------------------
>
>                 Key: AMQ-6991
>                 URL: https://issues.apache.org/jira/browse/AMQ-6991
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 5.15.4
>         Environment: Environment: Customer environment is a mix of Linux and 
> Windows, Gig-LAN (Medical & Finacial services).  Will not accept the risk of 
> having even one high severity CVE in thier environment. The cost of 
> (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed 
> systems.
>            Reporter: Albert Baker
>            Priority: Blocker
>
> ActiveMQ 5.15.4 hadoop-core-1.0.0.jar which has two high severity CVEs 
> against it.
> Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running 
> the OWASP report.
> CVE-2012-4449 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-327 Use of a Broken or Risky Cryptographic Algorithm
> Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate 
> token passwords using a 20-bit secret when Kerberos security features are 
> enabled, which
> makes it easier for context-dependent attackers to crack secret keys via a 
> brute-force attack.
> CONFIRM - 
> https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#topic_1_0
> MLIST - [hadoop-general] 20121012 [ANNOUNCE] Hadoop-1.0.4 release, with 
> Security fix
> Vulnerable Software & Versions: (show all)
> cpe:/a:apache:hadoop:1.0.0
> CVE-2017-3162 Severity:High   CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-20 Improper Input Validation
> HDFS clients interact with a servlet on the DataNode to browse the HDFS 
> namespace. The NameNode is provided as a query parameter that is not 
> validated in Apache
> Hadoop before 2.7.0.
> BID - 98017
> MLIST - [hadoop-common-dev] 20170425 CVE-2017-3162: Apache Hadoop DataNode 
> web UI vulnerability
> Vulnerable Software & Versions:
> cpe:/a:apache:hadoop:2.6.5 and all previous versions



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to