[
https://issues.apache.org/jira/browse/AMQ-6988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16558996#comment-16558996
]
Albert Baker commented on AMQ-6988:
-----------------------------------
Yeah but.... Russia China France, Israel, common crimminals can all freely
download all open-source projects...have and continue to 24x7, edit the pom
file to include OWASP dependency check and in 15 minutes know what
vulnerabilities are in the projects. Google for proof-of-concept exploits to a
CVE and in another 15 minutes have a missile.
Is it better to :
# shine the light of day on vulnerabilities to increase the urgency of fixing ?
# send an email that gets ignored and nothing ever happens ? " Messages that
do not relate to the reporting or managing of an undisclosed security
vulnerability in Apache software are ignored and no further action is required."
# or Have all apache projects add OWASP Depencency check into the pom ahead of
time and run the report weekly to weed out vulnerabilities as part of the
normal process, like what Apache Camel project now does ?
I vote for #3. but until that is universal, #1 "shaming" is much more of an
incentive than #2 which is where we have been for 20 yrs and everything is
still broken. sorry to rant...Thanks for fighting the good fight ,but I been
at this for 30 yrs...im done wasting time. Talk to Claus Ibsen, then push this
call out to everyone in all Apache projects.
> ActiveMQ 5.15.4 contains activemq-protobuf-1.1.jar which has three high
> severity CVEs against it.Discovered by adding OWASP Dependency check into
> ActiveMQ pom.xml and running the OWASP report
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: AMQ-6988
> URL: https://issues.apache.org/jira/browse/AMQ-6988
> Project: ActiveMQ
> Issue Type: Bug
> Components: webconsole
> Affects Versions: 5.15.4
> Environment: Environment: Customer environment is a mix of Linux and
> Windows, Gig-LAN. Will not accept the risk of having even one high severity
> CVE in thier environment.
> Reporter: Albert Baker
> Priority: Blocker
>
> ActiveMQ 5.15.4 contains activemq-protobuf-1.1.jar which has two high
> severity CVEs against it.
> Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running
> the OWASP report
> CVE-2015-5183 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-254 Security Features The Hawtio console in A-MQ does not set
> HTTPOnly or Secure attributes on cookies.
> CVE-2015-5184 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-254 Security Features The Hawtio console in A-MQ allows remote
> attackers to obtain sensitive information and perform other unspecified
> impact.
> CVE-2016-3088 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-20 Improper Input Validation
> The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows
> remote attackers to upload and execute arbitrary files via an HTTP PUT
> followed by an HTTP MOVE request.
> CONFIRM -
> http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
> EXPLOIT-DB - 42283
> MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-356
> MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-357
> REDHAT - RHSA-2016:2036
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
