[jira] [Commented] (AMQ-6988) ActiveMQ 5.15.4 contains activemq-protobuf-1.1.jar which has three high severity CVEs against it.Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report

[Christopher L. Shannon (JIRA)]

    [ 
https://issues.apache.org/jira/browse/AMQ-6988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16560730#comment-16560730
 ] 

Christopher L. Shannon commented on AMQ-6988:
---------------------------------------------

I agree with the dependency check, I don't see any reason not to include the 
OWASP check in both the ActiveMQ 5.x builds and our Artemis builds and to run 
it periodically stay on top of things.  I think the Versions maven plugin is 
also useful just to know when any dependency has been updated.  There are so 
many dependencies that it is too difficult to stay on top of all the updates 
manually.

> ActiveMQ 5.15.4 contains activemq-protobuf-1.1.jar which has three high 
> severity CVEs against it.Discovered by adding OWASP Dependency check into 
> ActiveMQ pom.xml and running the OWASP report
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-6988
>                 URL: https://issues.apache.org/jira/browse/AMQ-6988
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: webconsole
>    Affects Versions: 5.15.4
>         Environment: Environment: Customer environment is a mix of Linux and 
> Windows, Gig-LAN.  Will not accept the risk of having even one high severity 
> CVE in thier environment.
>            Reporter: Albert Baker
>            Priority: Blocker
>
> ActiveMQ 5.15.4 contains activemq-protobuf-1.1.jar which has two high 
> severity CVEs against it.
> Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running 
> the OWASP report
> CVE-2015-5183 Severity:High  CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-254 Security Features The Hawtio console in A-MQ does not set 
> HTTPOnly or Secure attributes on cookies.
> CVE-2015-5184 Severity:High   CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-254 Security Features The Hawtio console in A-MQ allows remote 
> attackers to obtain sensitive information and perform other unspecified 
> impact.
> CVE-2016-3088 Severity:High   CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-20 Improper Input Validation
> The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows 
> remote attackers to upload and execute arbitrary files via an HTTP PUT 
> followed by an HTTP MOVE request.
> CONFIRM - 
> http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
> EXPLOIT-DB - 42283
> MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-356
> MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-357
> REDHAT - RHSA-2016:2036



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)