[ https://issues.apache.org/jira/browse/AMQ-6988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16559047#comment-16559047 ]
Christopher L. Shannon commented on AMQ-6988: --------------------------------------------- Regardless of your feelings about how security issues should be handled the Apache software foundation has a process in place to report vulnerabilities. If you have been in this business for 30 years then you should understand that it's not appropriate to discuss vulnerabilities in a public forum regardless of how easy you think they are to discover. If you do not like Apache's policy then feel free to bring it up with the security team for discussion but as a PMC member of this project it is my responsibility to please ask you to follow the security process and not bypass by posting on a public forum. > ActiveMQ 5.15.4 contains activemq-protobuf-1.1.jar which has three high > severity CVEs against it.Discovered by adding OWASP Dependency check into > ActiveMQ pom.xml and running the OWASP report > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: AMQ-6988 > URL: https://issues.apache.org/jira/browse/AMQ-6988 > Project: ActiveMQ > Issue Type: Bug > Components: webconsole > Affects Versions: 5.15.4 > Environment: Environment: Customer environment is a mix of Linux and > Windows, Gig-LAN. Will not accept the risk of having even one high severity > CVE in thier environment. > Reporter: Albert Baker > Priority: Blocker > > ActiveMQ 5.15.4 contains activemq-protobuf-1.1.jar which has two high > severity CVEs against it. > Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running > the OWASP report > CVE-2015-5183 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) > CWE: CWE-254 Security Features The Hawtio console in A-MQ does not set > HTTPOnly or Secure attributes on cookies. > CVE-2015-5184 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) > CWE: CWE-254 Security Features The Hawtio console in A-MQ allows remote > attackers to obtain sensitive information and perform other unspecified > impact. > CVE-2016-3088 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) > CWE: CWE-20 Improper Input Validation > The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows > remote attackers to upload and execute arbitrary files via an HTTP PUT > followed by an HTTP MOVE request. > CONFIRM - > http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt > EXPLOIT-DB - 42283 > MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-356 > MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-357 > REDHAT - RHSA-2016:2036 -- This message was sent by Atlassian JIRA (v7.6.3#76005)