[
https://issues.apache.org/jira/browse/ARTEMIS-2413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16878857#comment-16878857
]
Justin Bertram commented on ARTEMIS-2413:
-----------------------------------------
As far as Artemis is concerned JGroups is *only* used for discovery. No actual
connections are made between nodes using JGroups. Therefore this
"vulnerability" is not applicable.
That said, it's worth looking into upgrading JGroups nonetheless although there
may be changes required in our code to move from 3.x to 4.x.
> Upgrade JGroups
> ---------------
>
> Key: ARTEMIS-2413
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2413
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Affects Versions: 2.6.4
> Reporter: Endre Jeges
> Priority: Major
> Labels: security
>
> I have noticed with the OWASP dependency-check plugin
> (org.owasp:dependency-check-maven:5.0.0) that the currently used
> org.jgroups:jgroups:3.6.13.Final has a [CWE-300: Channel Accessible by
> Non-Endpoint
> ('Man-in-the-Middle')|https://ossindex.sonatype.org/vuln/7c83fdab-9665-4e79-bc81-cc67fbb96417]
> vulnerability. The problem has not been reported in the NVD database,
> therefore there is no CVE record.
> The vulnerability has been
> [addressed|https://github.com/belaban/JGroups/pull/348] in version
> org.jgroups:jgroups:4.0.2.Final (at the moment the latest version is
> org.jgroups:jgroups:4.1.1.Final).
> The org.jgroups:jgroups dependency would require an upgrade to resolve the
> vulnerability.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
