[
https://issues.apache.org/jira/browse/AMQ-6988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16560570#comment-16560570
]
Albert Baker commented on AMQ-6988:
-----------------------------------
Christian : I appreciate your position and stance, but fact of "Apache"s
security reporting policy has proven to be ineffecive countless times(name any
breach in last 20yrs, leveraged known, unpatched vulnerabilities). Apache
security reporting tiage teams end up dealing with many many issues and, too
often, try to /oo quickly find reasons to ignore real issues. Central teams
are over-burdened. This cycle peretuates vulnerabilities that exist for years.
A much more pro-active policy on Apaches' part has already /proven/ to be
extremly effective in the Camel project. This policy to inculde OWASP
Dependency check in every nightly build must become the standard. This
/distributes/ the load to all team members, which is a /much/ more scalable
solution. Fact-of, in any given build in the last few years, there are /zero/
outstanding known vulnerabilities in Camel. This is the standard the world is
now demanding. Will Apache be a furture force for good by proactivly
eliminating vulberabilites in all its projects or continue to pave the road for
bad actors to exploit, breach, and subvert all commercial systems going forward
? You decide ! Please include OWASP Dependency check in all Apache projects,
and refuse the excuse not to do it because there are occasional false
positives. The net benefit is overwealming positive.
> ActiveMQ 5.15.4 contains activemq-protobuf-1.1.jar which has three high
> severity CVEs against it.Discovered by adding OWASP Dependency check into
> ActiveMQ pom.xml and running the OWASP report
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: AMQ-6988
> URL: https://issues.apache.org/jira/browse/AMQ-6988
> Project: ActiveMQ
> Issue Type: Bug
> Components: webconsole
> Affects Versions: 5.15.4
> Environment: Environment: Customer environment is a mix of Linux and
> Windows, Gig-LAN. Will not accept the risk of having even one high severity
> CVE in thier environment.
> Reporter: Albert Baker
> Priority: Blocker
>
> ActiveMQ 5.15.4 contains activemq-protobuf-1.1.jar which has two high
> severity CVEs against it.
> Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running
> the OWASP report
> CVE-2015-5183 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-254 Security Features The Hawtio console in A-MQ does not set
> HTTPOnly or Secure attributes on cookies.
> CVE-2015-5184 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-254 Security Features The Hawtio console in A-MQ allows remote
> attackers to obtain sensitive information and perform other unspecified
> impact.
> CVE-2016-3088 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-20 Improper Input Validation
> The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows
> remote attackers to upload and execute arbitrary files via an HTTP PUT
> followed by an HTTP MOVE request.
> CONFIRM -
> http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
> EXPLOIT-DB - 42283
> MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-356
> MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-357
> REDHAT - RHSA-2016:2036
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
